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Preface 


Towards the end of the 1960s, under the influence of the rapid development 
of microelectronics, electromechanical cryptological machines began to be 
replaced by electronic data encryption devices using large-scale integrated 
circuits. This promised more secure encryption at lower prices. Then, in 
1976, Diffie and Heilman opened up the new cryptological field of public-key 
systems. Cryptography, hitherto cloaked in obscurity, was emerging into the 
public domain. Additionally, ENIGMA revelations awoke the public interest. 

Computer science was a flourishing new field, too, and computer scientists 
became interested in several aspects of cryptology. But many of them were 
not well enough informed about the centuries-long history of cryptology and 
the high level it had attained. I saw some people starting to reinvent the 
wheel, and others who had an incredibly naive belief in safe encryption, 
and I became worried about the commercial and scientific development of 
professional cryptology among computer scientists and about the unstable 
situation with respect to official security services. 

This prompted me to offer lectures on this subject at the Munich Institute of 
Technology. The first series of lectures in the winter term 1977/78, backed 
by the comprehensive and reliable book The Codebreakers (1967) by David 
Kahn, was held under the code name ‘Special Problems of Information 
Theory’ and therefore attracted neither too many students nor too many 
suspicious people from outside the university. 

Next time, in the summer term of 1981, my lectures on the subject were 
announced under the open title ‘Cryptology’. This was seemingly the first 
publicly announced lecture series under this title at a German, if not indeed 
a Continental European, university. 

The series of lectures was repeated a few times, and in 1986/87 lecture notes 
were printed which finally developed into Part I of this book. Active interest 
on the side of the students led to a seminar on cryptanalytic methods in the 
summer term of 1988, from which Part II of the present book originated. 
The 1993 first edition (in German) of my book Kryptologie , although written 
mainly for computer science students, found lively interest also outside the 
field. It was reviewed favorably by some leading science journalists, and 
the publisher followed the study book edition with a 1995 hardcover edition 
under the title Entzifferte Geheimnisse [Decrypted Secrets], which gave me 
the opportunity to round out some subjects. Reviews in American journals 
recommended also an English version, which led in 1997 to the present book. 

It has become customary among cryptologists to explain how they became 
acquainted with the field. In my case, this was independent of the Second 
World War. In fact, I was never a member of any official service—and I 
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consider this my greatest advantage, since I am not bound by any pledge of 
secrecy. On the other hand, keeping eyes and ears open and reading between 
the lines, I learned a lot from conversations (where my scientific metier was 
a good starting point), although I never know exactly whether I am allowed 
to know what I happen to know. 


It all started in 1951, when I told my former professor 
of formal logic at Munich University, Wilhelm Brit- 
zelmayr, of my invention of an error-correcting code 
for teletype lines 1 . This caused him to make a wrong 
association, and he gave me a copy of Sacco’s book, 
which had just appeared 2 . I was lucky, for it was the 
best book I could have encountered at that time— 
although I didn’t know that then. I devoured the 
book. Noticing this, my dear friend and colleague 
Paul August Mann, who was aware of my acquain¬ 
tance with Shannon’s redundancy-decreasing encod¬ 
ing, gave me a copy of the now-famous paper by 
Claude Shannon called Communication Theory of Secrecy System s 3 (which 
in those days as a Bell Systems Technical Report was almost unavailable in 
Germany). I was fascinated by this background to Shannon’s information 
theory, which I was already familiar with. This imprinted my interest in 
cryptology as a subheld of coding theory and formal languages theory, fields 
that held my academic interest for many years to come. 



Luigi Sacco (1883—1970) 


Strange accidents—or maybe sharper observation—then brought me into 
contact with more and more people once close to cryptology, starting with 
Willi Jensen (Flensburg) in 1955, Karl Stein (Munich) in 1955, Hans Rohr- 
bach, my colleague at Mainz University, in 1959, as well as Helmut Grunsky, 
Gisbert Hasenjager, and Ernst Witt. In 1957, I became acquainted with 
Erich Hlittenhain (Bad Godesberg), but our discussions on the suitability of 
certain computers for cryptological work were in the circumstances limited 
by certain restrictions. Among the American and British colleagues in nu¬ 
merical analysis and computer science I had closer contact with, some had 
been involved with cryptology in the Second World War; but no one spoke 
about that, particularly not before 1974, the year when Winterbotham’s book 
The Ultra Secret appeared. In 1976, I heard B. Randall and I. J. Good reveal 
some details about the Colossi in a symposium in Los Alamos. As a science- 
oriented civilian member of the cryptology academia, my interest in cryp¬ 
tology was then and still is centered on computerized cryptanalysis. Other 
aspects of signals intelligence (‘SIGINT’), for example, traffic analysis and di¬ 
rection finding, are beyond the scope of this book; the same holds for physical 
devices that screen electromechanical radiation emitted by cipher machines. 


1 DBP No. 892767, application date January 21. 1951. 

2 General Luigi Sacco, Manuel de Cryptographic. Payot, Paris 1951. 

3 Bell Systems Technical Journal 28, Oct. 1949, pp. 656-715. 
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Cryptology is a discipline with an international touch and a particular ter¬ 
minology. It may therefore be helpful sometimes to give in this book some 
explanations of terms that originated in a language other than English. 

The first part of this book presents cryptographic methods. The second part 
covers cryptanalysis, above all the facts that are important for judging cryp¬ 
tographic methods and for saving the user from unexpected pitfalls. This 
follows from Kerckhoffs’ maxim: Only a cryptanalyst can judge the secu¬ 
rity of a cryptosystem. A theoretical course on cryptographic methods alone 
seems to me to be bloodless. But a course on cryptanalysis is problematic: 
Either it is not conclusive enough, in which case it is useless, or it is conclu¬ 
sive, but touches a sensitive area. There is little clearance in between. I have 
tried to cover at least all the essential facts that are in the open literature or 
can be deduced from it. No censorship took place. 

Certain difficulties are caused by the fact that governmental restrictions dur¬ 
ing and after World War H, such as the ‘need to know’ rule and other gim¬ 
micks, misled even people who had been close to the centers of cryptanalysis. 
Examples include the concept of Banburismus and the concept of a ‘cilli’. 
The word Banburismus—the name was coined in Britain—was mentioned in 
1985 by Deavours and Kruh in their book, but the method was only vaguely 
described. Likewise, the description Kahn gave in 1991 in his book is rather 
incomplete. On the other hand, in Kozaczuk’s book of 1979 (English edi¬ 
tion of 1984), Rejewski gave a description of Rozycki’s‘clock method’, which 
turned out to be the same—but most of the readers could not know of this 
connection. Then, in 1993, while giving a few more details on the method, 
Good (in ‘Codebreakers’) confirmed that “Banburism was an elaboration 
of... the clock method... [of]... Rozycki”. He also wrote that this elabora¬ 
tion was ‘invented at least mainly by Turing’, and referred to a sequential 
Bayesian process as the “method of scoring”. For lack of declassified concrete 
examples, the exposition in Sect. 19.4.2 of the present book, based on the re¬ 
cently published postwar notes of Alexander and of Mahon and articles by 
Erskine and by Noskwith in the recent book Action This Day, cannot yet be 
a fully satisfactory one. And as to cillies, even Gordon Welchman admitted 
that he had misinterpreted the origin of the word, thinking of ‘silly’. Other 
publications gave other speculations, see Sect. 19.7, fn. 29. Ralph Erskine, in 
Action This Day, based on the recently declassified ‘Cryptanalytic Report 
on the Yellow Machine’, 71-4 (NACP HCC Box 1009, Nr. 3175), gives the 
following summary of the method: 

Discovered by Dilly Knox in late January 1940, cillies reduced enormously 
the work involved in using the Zygalski sheets, and after 1 May, when the 
Zygalski sheets became useless, they became a vital part of breaking Enigma 
by hand during most of 1940. They were still valuable in 1943. 

Cillies resulted from a combination of two different mistakes in a multi-part 
message by some Enigma operators. The first was their practice of leaving 
the rotors untouched when they reached the end of some part of the message. 



Since the letter count of each message part was included in the preamble, the 
message key of the preceding part could be calculated within fine limits. The 
second error was the use of non-random message keys—stereotyped keyboard 
touches and 3-letter-acronyms. In combination, and in conjunction with the 
different turnover points of rotors I to V, they allowed one to determine which 
rotors could, and which could not, be in any given position in the machine.’ 
Although Banburismus and cillies were highly important in the war, it is 
hard to understand why Derek Taunt in 1993 was prevented by the British 
censor from telling the true story about cillies. Possibly, the same happened 
to Jack Good about Banburismus. 

*** 

My intellectual delight in cryptology found an application in the collection 
‘Informatik’ of the Deutsches Museum in Munich which I built up in 1984 
-1988, where there is a section on cryptological devices and machines. My 
thanks go to the Deutsches Museum for providing color plates of some of the 
pieces on exhibit there. 

And thanks go to my former students and co-workers in Munich, Manfred 
Broy, Herbert Ehler, and Anton Gerold for continuing support over the years, 
moreover to Hugh Casement for linguistic titbits, and to my late brother- 
in-law Alston S. Householder for enlightenment on my English. Karl Stein 
and Otto Leiberich gave me details on the ENIGMA story, and I had fruitful 
discussions and exchanges of letters with Ralph Erskine, Heinz Ulbricht, Tony 
Sale, Frode Weierud, Kjell-Ove Widman, Otto J. Horak, Gilbert Bloch, Arne 
Fransen, and Fritz-Rudolf Giintsch. Great help was given to me by Kirk 
H.Kirchhofer from Crypto AG, Zug (Switzerland). Hildegard Bauer-Vogg 
supplied translations of difficult Latin texts, Martin Bauer, Ulrich Bauer and 
Bernhard Bauer made calculations and drawings. Thanks go to all of them. 
The English version was greatly improved by J. Andrew Ross, with whom 
working was a pleasure. In particular, my sincere thanks go to David Kahn 
who encouraged me (“The book is an excellent one and deserves the widest 
circulation”) and made quite a number of proposals for improvements of the 
text. For the present edition, additional material that has been made public 
recently has been included, among others on Bletchley Park, the British at¬ 
tack on Tunny, Colossus and Max Newman’s pioneering work. Moreover, my 
particular thanks go to Ralph Erskine who indefatigably provided me with 
a lot of additional information and checked some of the dates and wordings. 
In this respect, my thanks also go to Jack Copeland, Heinz Ulbricht, and 
Augusto Buonafalce. Finally, I have to thank once more Hans Wossner for 
a well functioning cooperation of long standing, and the new copy editor 
Ronan Nugent for very careful work. The publisher is to be thanked for the 
fine presentation of the book. And I shall be grateful to readers who are kind 
enough to let me know of errors and omissions. 

Grafrath, Spring 2006 


F. L. Bauer 
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Reciprocal cipher alphabet by 
Giovan Batista Belaso, 1553 


ars ipsi secreta magistro 
[An art secret even for the master] 
Jean Robert du Carlet, 1644 

For it is better for a scribe 
to be thought ignorant 
than to pay the penalty 
for the detection of plans. 

Giambattista Della Porta, 1563 



Giambattista Della Porta 


(1535-1615) 




Only a few decades ago one could say that cryptology, the study of secret 
writing and its unauthorized decryption, was a field that flourished in conceal¬ 
ment- flourished, for it always nurtured its professional representatives well. 
Cryptology is a true science: it has to do with knowledge (Latin scientia ), 
learning and lore. 

By its very nature cryptology not only concerns secretiveness, but remains 
shrouded in secrecy itself—occasionally even in obscurity. It is almost a 
secret science. The available classic literature is scant and hard to track 
down: under all-powerful state authorities, the professional cryptologists in 
diplomatic and military services were obliged to adopt a mantle of anonymity 
or at least accept censorship of their publications. As a result, the freely 
available literature never fully reflected the state of the art—we can assume 
that things have not much changed in that respect. 

Nations vary in their reticence: whereas the United States of America released 
quite generous information on the situation in the Second World War, the 
Soviet Union cloaked itself in silence. That was not surprising; but Britain has 
also pursued a policy of secretiveness which sometimes appears excessive—as 
in the COLOSSUS story. At least one can say that the state of cryptology 
in Germany was openly reported after the collapse of the Reich in 1945. 1 
Cryptology as a science is several thousand years old. Its development has 
gone hand in hand with that of mathematics, at least as far as the persons 
are concerned—names such as Frangois Viete (1540-1603) and John Wallis 
(1616 1703) occur. From the viewpoint of modern mathematics, it shows 
traits of statistics (William F. Friedman, 1920), combinatory algebra (Lester 
S. Hill, 1929), and stochastics (Claude E. Shannon, 1941). 


1 Hans Rohrbach (1948), Mathematische und maschinelle Methoden beim Chiffrieren und 
Dechiffrieren. In: FIAT Review of German Science 1939-1941: Applied Mathematics, 
Part I, Wiesbaden, 1948. 


The People 3 


Mathematicians as cryptologists. Traditionally, mainly linguists were 
doing cryptanalysis. The Second World War finally brought mathemati¬ 
cians to the fore: for example, Hans Rohrbach (1903-1993) in Germany and 
Alan Mathison Turing (1912-1954) in the UK; A. Adrian Albert (1905-1972) 
and Marshall Hall (1910-1990) were engaged in the field in the United States; 
also J. Barkley Rosser, Willard Van Orman Quine, Andrew M. Gleason, and 
the applied mathematicians Vannevar Bush (1890-1974) and Warren Weaver 
(1894-1978). And there was Arne Beurling (1905-1986) in Sweden, Marian 
Rejewski (1905-1980) in Poland, Hugo Hadwiger (1908-1981) in Switzer¬ 
land; moreover Wolfgang Franz in Germany, Maurits de Vries in the Nether¬ 
lands, Ernst S. Selmer (b. 1920) in Norway, Erkki Sten Pale (b. 1906) in Fin¬ 
land, Paul Glur in Switzerland, and Shiro Takagi in Japan. 

One could mention a few more present-day mathematicians who have been en¬ 
gaged in official cryptology for a time. Some would prefer to remain incognito. 

The mathematical disciplines that play an important part in the current state 
of cryptology include number theory, group theory, combinatory logic, com¬ 
plexity theory, ergodic theory, and information theory. The field of cryptology 
can already be practically seen as a subdivision of applied mathematics and 
computer science. Conversely, for the computer scientist cryptology is gain¬ 
ing increasing practical importance in connection with access to operating 
systems, data bases and computer networks, including data transmission. 

Screen. Quite generally, it is understandable if intelligence services do not 
reveal even the names of their leading cryptologists. Admiral Sir HughP. F. 
Sinclair, who became in 1923 chief of the British Secret Intelligence Service 
(M.I.6), had the nickname ‘Quex’. Semi-officially, Sinclair and his successor 
General Sir Stewart Graham Menzies (1890-1968), were traditionally known 
only as ‘C’. Under them were a number of ‘Passport Control Officers’ at the 
embassies as well as the cryptanalytic unit at Bletchley Park, Buckingham¬ 
shire. And the name of Ernst C. Fetterlein (dec. 1944), who was till the Octo¬ 
ber Revolution head of a Russian cryptanalytic bureau (covername ‘Popov’) 
and served the Government Code and Cypher School of the British Foreign 
Office from June 1918, was mentioned in the open cryptological literature only 
incidentally in 1985 by Christopher Andrew and in 1986 by Nigel West. 2 

Professional cryptology is far too much at risk from the efforts of foreign secret 
services. It is important to leave a potential opponent just as much in the dark 
about one’s own choice of methods (‘encryption philosophy’) as about one’s 
ability (‘cryptanalytic philosophy’) to solve a message that one is not meant 
to understand. If one does succeed in such unauthorized decryption—as the 
British did with ENIGMA-enciphered messages from 1940 till 1945—then it 
is important to keep the fact a secret from one’s opponents and not reveal it 
by one’s reactions. As a result of British shrewdness, the relevant German au- 


2 Turing’s biographer Andrew Hodges (1983) even misspelled the name ‘Feterlain’, possi¬ 
bly resulting from mishearing it in a telephone conversation. 



4 Part I: Cryptography 


thorities, although from time to time suspicious, remained convinced until the 
approaching end of the war (and some very stubborn persons even in 1970) 
that the ciphers produced by their ENIGMA machines were unbreakable. 
The caution the Allies applied went so far that they even risked disinforma¬ 
tion of their own people: Capt. LauranceF. Safford, US Navy, Office of Naval 
Communications, Cryptography Section, wrote in an internal report of March 
18, 1942, a year after the return of Capt. Abraham Sinkov and Lt. Leo Rosen 
from an informative visit in February 1941 to Bletchley Park: “Our prospects 
of ever [!] breaking the German ‘Enigma’ cipher machine are rather poor.” This 
did not reflect his knowledge. But in addressing the US Navy leadership, he 
wanted to keep the secret of Bletchley Park struggling hard with the German 
Navy 4-rotor ENIGMA introduced a few weeks before (in February 1942), 
the breakthrough coming only in December 1942. 

In times of war, materiel and even human life must often be sacrificed in order 
to avoid greater losses elsewhere. In 1974, Group Captain Winterbotham said 
Churchill let Coventry be bombed because he feared defending it would reveal 
that the British were reading German ENIGMA-enciphered messages. This 
story, however, was totally false: As the targets were indicated by changing 
code words, this would not in fact have been possible. But, the British were 
initially very upset when, in mid-1943, the Americans began systematically 
to destroy all the tanker U-boats, whose positions they had learnt as a result 
of cracking the 4-rotor ENIGMA used by the German submarine command. 
The British were justifiably concerned that the Germans would suspect what 
had happened and would greatly modify their ENIGMA system again. In 
fact they did not, instead ascribing the losses (incorrectly) to treachery. How 
legitimate the worries had been became clear when the Allies found out that 
for May 1, 1945, a change in the ENIGMA keying procedures was planned 
that would have made all existing cryptanalytic approaches useless. This 
change “could probably have been implemented much earlier” if it had been 
deemed worthwhile (Ralph Erskine). 

This masterpiece of security work officially comprised “intelligence resulting 
from the solution of high-grade codes and ciphers”. It was named by the Bri¬ 
tish “special intelligence” for short, and codenamed ULTRA, which also refer¬ 
red to its security classification. The Americans similarly called MAGIC the 
information obtained from breaking the Japanese cipher machines they dub¬ 
bed PURPLE. Both ULTRA and MAGIC remained hidden from Axis spies. 

Cryptology and criminology. Cryptology also has points of contact with 
criminology. References to cryptographic methods can be found in several 
textbooks on criminology, usually accompanied by reports of successfully 
cryptanalyzed secret messages from criminals still at large—smugglers, drug 
dealers, gun-runners, blackmailers, or swindlers—and some already behind 
bars, usually concerning attempts to free them or to suborn crucial witnesses. 
In the law courts, an expert assessment by a cryptologist can be decisive in 
securing convictions. During the days of Prohibition in the USA, Elizebeth 
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S. Friedman nee Smith (1892-1980), wife of the famous William Frederick 
Friedman (1891-1969) 3 and herself a professional cryptologist, performed 
considerable service in this line. She did not always have an easy time in 
court: counsel for the defence expounded the theory that anything could be 
read into a secret message, and that her cryptanalysis was nothing more than 
“an opinion”. The Swedish cryptologist Yves Gylden (1895-1963), a grand¬ 
son of the astronomer Hugo Gylden, assisted the police in catching smugglers 
in 1934. Only a few criminological cryptologists are known, for example the 
Viennese Dr. Siegfried Tiirkel in the 1920s and the New Yorker Abraham P. 
Chess in the early 1950s. Lately, international crime using cryptographic 
methods has again begun to require the attention of cryptanalysts. 

Amateurs. Side by side with state cryptology in diplomatic and military ser¬ 
vices have stood the amateurs, especially since the 19th century. We should 
mention some serious poets, novelists and fiction writers with nothing more 
than a fancy for cryptography: Stefan George, Robert Musil, and Vladimir 
Nabokov, and more recently Hans Magnus Enzensberger. But that is not all. 
From the revelation of historic events by retired 
professionals such as Etienne Bazeries 4 , to the 
after-dinner amusements practised by Wheat¬ 
stone 5 and Babbage 6 , and including journalis¬ 
tic cryptanalytic examples ranging from Edgar 
Allan Poe to the present-day Cryptoquip in the 
Los Angeles Times, accompanied by excursions 
into the occult, visiting Martians, and terror¬ 
ism, cryptology shows a rich tapestry, inter¬ 
woven with tales from one of the oldest of all 
branches of cryptology, the exchange of mes¬ 
sages between lovers. The letter-writer’s guides 
that appeared around 1750 soon offered crypto¬ 
graphic help, like De geheime brieven-schryver, 
angetoond met verscheydene voorbeelden by a 
certain G. v. K., Amsterdam, 1780, and Dem Magiske skrivekunstner , Copen¬ 
hagen, 1796. A century later, we find in German Sicherster Schutz des Brief- 
geheimnisses , by Emil Katz, 1901, and Amor als geheimer Bote. Geheimspra- 
che fiir Liebende zu Ansichts-Postkarten, presumably by Karl Peters, 1904. 

Mixed with sensational details from the First and Second World Wars, an ex¬ 
citing picture of cryptology in a compact, consolidated form first reached a 



3 Friedman, probably the most important American cryptologist of modern times, intro¬ 
duced in 1920 the Index of Coincidence , the sharpest tool of modern cryptanalysis. 

4 Etienne Bazeries (1846-1931), probably the most versatile French cryptologist of modern 
times, author of the book Les chiffres secrets devoiles (1901). 

5 Sir Charles Wheatstone (1802—1875), English physicist, professor at King’s College, 
London, best known for Wheatstone’s bridge (not invented by him). 

6 Charles Babbage (1791 1871), Lucasian Professor of Mathematics at the University of 
Cambridge, best known for his Difference Engine and Analytical Engine. 
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broad public in 1967 in David Kahn’s masterpiece of journalism and historical 
science The Codebreakers. In the late 1970s there followed several substantial 
additions from the point of view of the British, whose wartime files were at 
last (more or less) off the secret list; among the earliest were The Secret War 
by Brian Johnson, and later The Hut Six Story by Gordon Welchman. Cryp¬ 
tology’s many personalities make its history a particularly pleasurable field. 

Lewis Carroll. A quite remarkable role as an amateur was played by Charles 
Lutwidge Dodgson (1832-1898), nom de plume Lewis Carroll, the author of 
Alice in Wonderland, Through the Looking-Glass, and The Hunting of the 
Snark. He liked to amuse his friends and readers with puzzles, games, codes, 
and ciphers. Among the latter, he reinvented the Vigenere cipher with his 
1858 Key-Vowel Cipher (restricted to 5 alphabets, see Sect. 7.4.1) and his 
1868 Alphabet Cipher, moreover the Beaufort cipher (see Sect. 7.4.3) with 
his 1868 Telegraph Cipher. His 1858 Matrix Cipher was the first, and very 
elegant, version of a Variant Beaufort cipher (see Sect. 7.4.3). Like Charles 
Babbage (1791-1871) and Francis Beaufort (1774-1857), Lewis Carroll was 
an amateur who did not earn his money from cryptanalysis. 

Commerce. Commercial interest in cryptology after the invention of the 
telegraph concentrated on the production of code books, and around the 
turn of the century on the design and construction of mechanical and elec¬ 
tromechanical ciphering machines. Electronic computers were later used to 
break cryptograms, following initial (successful) attempts during the Second 
World War. A programmable calculator is perfectly adequate as a ciphering 
machine. But it was not until the mid-1970s that widespread commercial 
interest in encrypting private communications became evident (“Cryptology 
goes public,” Kahn, 1979); the options opened up by integrated circuits coin¬ 
cided with the requirements of computer transmission and storage. Further 
contributing to the growth of cryptology were privacy laws and fears of wire¬ 
tapping, hacking and industrial espionage. The increased need for informa¬ 
tion security has given cryptology a hitherto unneeded importance. Private 
commercial applications of cryptology suddenly came to the fore, and led to 
some unorthodox keying arrangements, in particular asymmetric public keys, 
invented in 1970 by James H. Ellis and first proposed publicly in 1976 by 
Whitfield Diffie and Martin Heilman. More generally, the lack of adequate 
copyright protection for computer programs has encouraged the use of en¬ 
cryption methods for software intended for commercial use. 

Civil rights. The demand for “cryptology for everyman” raises contra¬ 
dictions and leads to a conflict of interests between the state and scien¬ 
tists. When cryptology use becomes widespread and numerous scientists 
are occupied in public with the subject, problems of national security arise. 
Typically, authorities in the United States began to consider whether pri¬ 
vate research into cryptology should be prohibited—as private research into 
nuclear weapons was. On May 11, 1978, two years after the revolutionary ar¬ 
ticle by Diffie and Heilman, a high-ranking judicial officer, John M. Harmon, 
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Assistant Attorney General, Office of Legal Counsel, Department of Justice, 
wrote to Dr. Frank Press, science advisor to the President: “The crypto¬ 
graphic research and development of scientists and mathematicians in the 
private sector is known as ‘public cryptography’. As you know, the serious 
concern expressed by the academic community over government controls of 
public cryptography led the Senate Select Committee on Intelligence to con¬ 
duct a recently concluded study of certain aspects of the field.” These aspects 
centered around the question of whether restraints based on the International 
Traffic in Arms Regulation (ITAR) “on dissemination of cryptographic in¬ 
formation developed independent of government supervision or support by 
scientists and mathematicians in the private sector” are unconstitutional un¬ 
der the First Amendment, which guarantees freedom of speech and of the 
press. It was noted: “Cryptography is a highly specialized field with an au¬ 
dience limited to a fairly select group of scientists and mathematicians ... a 
temporary delay in communicating the results of or ideas about cryptographic 
research therefore would probably not deprive the subsequent publication of 
its full impact.” 

Cryptological information is both vital and vulnerable to an almost unique 
degree. Once cryptological information is disclosed, the government’s in¬ 
terest in protecting national security is damaged and may not be repaired. 
Thus, as Harmon wrote in 1978, “a licensing scheme requiring prepublication 
submission of cryptographic information” might overcome a presumption of 
unconstitutionality. Such a scheme would impose “a prepublication review 
requirement for cryptographic information, if it provided necessary procedu¬ 
ral safeguards and precisely drawn guidelines” , whereas “a prior restraint on 
disclosure of cryptographic ideas and information developed by scientists and 
mathematicians in the private sector is unconstitutional.” 

Furthermore, in the 1980s, the Department of Justice warned that export 
controls on cryptography presented “sensitive constitutional issues”. 

Let us face the facts: cryptosystems are not only considered weapons by the 
US government—and also by other governments—they are weapons, weapons 
for defense and weapons for attack. The Second World War has taught us 
this lesson. 

Harmon wrote moreover: “Atomic energy research is similar in a number of 
ways to cryptographic research. Development in both fields has been dom¬ 
inated by government. The results of government created or sponsored re¬ 
search in both fields have been automatically classified because of the immi¬ 
nent danger to security flowing from disclosure. Yet meaningful research in 
the field may be done without access to government information. The results 
of both atomic energy and cryptographic research have significant nongovern¬ 
mental uses in addition to military use. The principal difference between the 
fields is that many atomic energy researchers must depend upon the gov¬ 
ernment to obtain radioactive source material necessary in their research. 
Cryptographers, however, need only obtain access to an adequate computer.” 
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In other words, cryptology invites dangerous machinations even more than 
atomic energy. At least the crypto weapon does not kill directly— but it may 
cover up crimes. 

The responsibility of the government and the scientists in view of the nim¬ 
bleness of cryptological activities is reflected in the Computer Security Act 
of the US Congress of 1987 (Public Law 100-235). It established a Com¬ 
puter System Security and Privacy Advisory Board (CSSPAB), composed of 
members of the federal government and the computer industry. While a la¬ 
tent conflict did exist, its outbreak seemed to have been avoided in the USA 
till 1993 due to voluntary restraint on the part of cryptologists (exercised by 
the Public Cryptography Study Group). 

In 1993, however, a crypto war broke out between the government and civil 
rights groups, who felt provoked by the announcement in April 1993—which 
came also as a surprise to the CSSPAB—and the publication in February 
1994 of an Escrowed Encryption Standard (EES), a Federal Information Pro¬ 
cessing Standards publication (FIPS 185). The standard makes mandatory 
an escrow system for privately used keys. While this persistent conflict is not 
scientific, but rather political, it still could endanger the freedom of science. 
Things look better in liberal, democratic Europe; prospects are lower that 
authorities would be successful everywhere in restraining scientific cryptolo¬ 
gy. In the European Union, discussions started in 1994 under the keyword 
“Euro-Encryption”, and these may also lead in the end to a regulation of 
the inescapable conflict of interests between state authorities and scientists. 
France dropped in 1999 its escrow system. In the former Soviet Union, the 
problem was of course easily settled within the framework of the system, 
but in today’s Russia, in China, and in Israel strong national supervision 
continues. 

A Janus face. Cryptography and cryptanalysis are the two faces of cryptolo¬ 
gy; each depends on the other and each influences the other in an interplay 
of improvements to strengthen cryptanalytic security on the one side and 
efforts to mount more efficient attacks on the other side. Success is rather 
rare, failures are more common. The silence preserved by intelligence services 
helps, of course, to cover up the embarrassments. All the major powers in 
the Second World War succeeded—at least occasionally—in solving enemy 
cryptosystems, but all in turn sometimes suffered defeats, at least partial. 
Things will not be so very different in the 21st century—thanks to human 
stupidity and carelessness. 
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En cryptographic, aucune regie n’est absolue. 

[In cryptography, no rule is absolute.] 
Etienne Bazeries (1901) 

1.1 Cryptography and Steganography 

We must distinguish between cryptography (Greek kryptos, hidden) and 
steganography (Greek steganos , covered). The term cryptographia, to mean 
secrecy in writing , was used in 1641 by John Wilkins, a founder with John 
Wallis of the Royal Society in London; the word ‘cryptography’ was coined 
in 1658 by Thomas Browne, a famous English physician and writer. It is 
the aim of cryptography to render a message incomprehensible to an un¬ 
authorized reader: ars occulte scribendi. One speaks of overt secret writing: 
overt in the sense of being obviously recognizable as secret writing. 

The term steganographia was also used in this sense by Caspar Schott, a 
pupil of Athanasius Kircher, in the title of his book Schola steganographia, 
published in Nuremberg in 1665; however, it had already been used by 
Trithemius in his first (and amply obscure) work Steganographia, which he 
began writing in 1499, to mean ‘hidden writing’. Its methods have the goal of 
concealing the very existence of a message (however that may be composed)— 
communicating without incurring suspicion (Francis Bacon, 1623: ars sine 
secreti latentis suspicione scribendi). By analogy, we can call this covert 
secret writing or indeed ‘steganography’. 

Cryptographic methods are suitable for keeping a private diary or notebook 
from Samuel Pepys (1633-1703) to Alfred C. Kinsey (1894-1956)—or pre¬ 
venting a messenger understanding the dispatch he bears; steganographic 
methods are more suitable for smuggling a message out of a prison—from Sir 
John Trevanion (Fig. 13), imprisoned in the English Civil War, to the French 
bank robber Pastoure, whose conviction was described by Andre Langie, and 
Klaus Croissant, the lawyer and Stasi collaborator who defended the Baader- 
Meinhof terrorist gang. The imprisoned Christian Klar used a book cipher. 
Steganography falls into two branches, linguistic steganography and technical 
steganography. Only the first is closely related to cryptography. The techni¬ 
cal aspect can be covered very quickly: invisible inks have been in use since 
Pliny’s time. Onion juice and milk have proved popular and effective through 
the ages (turning brown under heat or ultraviolet light). Other classical props 
are hollow heels and boxes with false bottoms. 
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Among the modern methods it is worth mentioning high-speed telegraphy, 
the spurt transmission of stored Morse code sequences at 20 characters per 
second, and frequency subband permutation (‘scrambling’) in the case of tele¬ 
phony, today widely used commercially. In the Second World War, the For- 
schungsstelle (research post) of the Deutsche Reichspost (headed by Postrat 
Dipl.-Ing. Kurt E. Vetterlein) listened in from March 1942 to supposedly se¬ 
cure radio telephone conversations between Franklin D. Roosevelt and Win¬ 
ston Churchill, including one on July 29, 1943, immediately before the cease¬ 
fire with Italy, and reported them via Schellenberg’s Reichssicherheitshaup- 
tamt, Amt VI to Himmler. 

Written secret messages were revolutionized by microphotography; a micro- 
dot the size of a speck of dirt can hold an entire quarto page—an extraor¬ 
dinary development from the macrodot of Histiaeus 1 , who shaved his slave’s 
head, wrote a message on his scalp; then waited for the hair to grow again. 
Microdots were invented in the 1920s by Emanuel Goldberg. The Russian 
spy Rudolf Abel produced his microdots from spectroscopic film which he was 
able to buy without attracting attention. Another Soviet spy, Gordon Arnold 
Lonsdale, hid his microdots in the gutters of bound copies of magazines. The 
microdots used by the Germans in the Second World War were of just the 
right size to be used as a full stop (period) in a typewritten document. 


1.2 Semagrams 


Linguistic steganography recognizes two methods: a secret message is either 
made to appear innocent in an open code, or it is expressed in the form 
of visible (though often minute) graphical details in a script or drawing, in 
a semagram. This latter category is especially popular with amateurs, but 
leaves much to be desired, since the details are too obvious to a trained and 
wary eye. The young Francis Bacon (1561-1626) invented the use of two type¬ 
faces to convey a secret message (Fig. 1), described in the Latin translation 
De dignitate et augmentis scientiarum (1623) of his 1605 book ProGcience 
and Advancement. It has never acquired any great practical importance (but 
see Sect. 3.3.3 for the binary code he introduced on this occasion). 


Cf 37 g <£ 

d &£<i££ dd £ £. a a £ £ddd £a<z, 

jjfcxntte H Dofo c/oiicc 


Fig. 1. Francis Bacon: Visible concealment of a binary code (‘biliteral cipher’) by means 
of different types of script. Note the different forms or /e/ in the word Manere 


The same steganographic principle appears to have been known in Paris at the 
same time, and was mentioned by Vigenere in 1586. Despite its clumsiness it 


1 


Kahn spells the name Histiaeus on p. 81, Histaeius on p. 780, and Histaieus in the index of 
his book The Codebreakers. Verily an example of ars occulte scribendi in an otherwise 
very reliable book! 
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In Konigsberg i. Pr. gabelt sich der Pregel und umflieJit eine 
Insel, die Kneiphof heifit* In den dreiftiger Jahren des acht- 
zehnten Jahrhunderts wurde das Problem gestellt, ob es wohl 
moglich wdre, in einem Spaziergang jede der sieben Konigsberger 
Briicken genau einmal zu iiberschreiten. 

Daft ein solcher Spaziergang unmoglich ist, war fiir L. EULER der 
Anlaft, mit seiner anno 1735 der Akademie der Wissenschaften 
in St. Petersburg vorgelegten Abhandlung Solutio problematis 
ad geometriam situs pertinentis (Commentarii Academiae Petro- 
politanae £ (1741) 128-140) einen der ersten Beitrage zur 
Topologie zu liefern. 

Das Problem besteht darin, im nachfolgend gezeichneten Graphen 
einen einfachen Kantenzug zu finden, der alle Kanten enthalt. 

Dabei reprasentiert die Ecke vom Grad 5 den Kneiphof und die 
beiden Ecken vom Grad 2 die Kramerbriicke sowie die Griine 
Briicke. 

Fig. 2. Semagram in a 1976 textbook on combinatory logic (the passage deals with the 
famous Konigsberg bridges problem). The lowered letters give the message 
“nieder mit dem sowjetimperialismus ” [down with Soviet imperialism] 


has lasted well: the most recent uses known to me are A. van Wijngaarden’s 
alleged usage of roman (.) and italic (.) full stops in the ALGOL 68 report. 
A second steganographic principle consists of marking selected characters in 
a book or newspaper; for example, by dots or by dashes. It is much more con¬ 
spicuous than the above-mentioned method —unless an invisible ink is used— 
but simpler to implement. A variant (in a book on combinatory logic) uses 
an almost imperceptible lowering of the letters concerned (Fig. 2). 


Own/out ohasi, it umd (jcrcrc/ ruw/t, for hear' that 
ycru hcwf ^owno/ a, on/ fa/udr. drma 

you, urdtt 4-aon aJ!S? to- lu-w. She4 

to J/oun, you, ncrur tlw cJuJtchi&n, an,( 


very jULc 
both ust 


r 


cnua 


Fig. 3. Visible concealment of a numeric code by spacing the letters (Smith) 


A third principle uses spaces between letters within a word (Fig. 3). In this 
example, it is not the letter before or after the space that is important, 
but the number of letters between successive letters ending with an upward 
stroke, 335151412343335145... . In 1895, A. Boetzel and 
Charles O’Keenan demonstrated this steganographic principle, also using a 
numeric code, to the French authorities (who remained unconvinced of its 
usefulness, not without reason). It appears to have been known before then 
in Russian anarchist circles, combined with the “Nihilist cipher” (Sect. 3.3.1). 
It was also used by German U-boat officers in captivity to report home on 
the Allies’ antisubmarine tactics. 
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ttfmfufmn * 

Fig. 4. Secret message solved by Sherlock Holmes (AM HERE ABE SLANEY), 
from The Adventure of the Dancing Men by Arthur Conan Doyle 

All these are examples of semagrams (visibly concealed secret writing). And 
there are many more. In antiquity fEneas used the astragal , in which a cord 
threaded through holes symbolized letters. A box of dominoes can conceal 
a message (by the positions of the spots), as can a consignment of pocket 
watches (by the positions of the hands). Sherlock Holmes’ dancing men 
(Fig. 4) bear a message just as much as hidden Morse code (Fig. 5): “com¬ 
pliments of CPSA MA to our chief Col. Harold R. Shaw on his visit to San 
Antonio May 11th 1945” (Shaw had been head of the Technical Operations 
Division of the US government’s censorship division since 1943). 



Fig. 5. Semagram. The message is in Morse code, formed by the 

short and long stalks of grass to the left of the bridge, along 
the river bank and on the garden wall 


A maze is a good example of a clear picture hidden in a wealth of incidental 
detail: the tortuous paths of Fig. 6 reduce to a graph which can be taken in 
at a glance. Autostereograms which require the viewer to stare or to squint 
in order to see a three-dimensional picture (Fig. 7) are also eminently suitable 
for concealing images, at least for a while. 

Of greater interest are those methods of linguistic steganography that turn 
a secret message into one that is apparently harmless and easily understood, 
although wrongly (open code). The principle is closer to that of cryptography. 
Again, there are two subcategories: masking and veiling. 
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2823071 

4620875 


307948125630794812563079481256307948125630794812563079481256307948125630794812 

618407329561840732956184032956187403295618403295671840329561840329756184032975 

901653287490165328749015326874915032687415093268417509326417850936421785093642 

803514967280351496728051349678051234967058123467059812347065981347026598134702 

'“13946208751394206875139420687519432068751943206851794320685179432068517 
'6293547801629543701629854370169825370164982537064192537086419253708641 

I_7062549381706549382176540938216540973816524097316524809316752480931675 

406135879240613587924613508792613450872613945082617394582610739482651073948265 

386209754138620975413620897541320689751324068975321406875392140685379214068537 

613284750961328475096128347509628134750629813475620981345672098135647209813564 

259861304725986130472586193047586219304586721934580672194583067294518306729451 

Q451367928Q451367928Q45367192Q458367192Q58346792Q15834679Q152836794Q152836794Q 

062851479306285147930628547930162854793016854792301685479231685407923168540792 

403926587140392658714039265871403926587140392658714039265871403926587140392658 

_ Bernhard Bauer 

Fig. 7. Autostereogram 


1.3 Open Code: Masking 

A secret writing or message masked as an open communication requires a 
prior agreement as to the true meaning of seemingly harmless phrases. This is 
probably the oldest form of secrecy technique—it is to be found in all cultures. 
Oriental and Far Eastern dealers and gamesters (and some Western ones) are 
reputed to be masters in the use of gestures and expressions. The following 
system is said to be common among American card cheats. The manner of 
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holding a cigarette or scratching one’s head indicates the suit or value of the 
cards held. A hand on the chest with the thumb extended means “I’m going 
to take this game. Anybody want to partner me?” The right hand, palm 
down, on the table means “Yes”, a clenched fist, “No, I’m working single, and 
I discovered this guy first, so scram!” The French conjurer Robert Houdin 
(1805-1871) is said to have used a similar system around 1845, with I, M, S, 
V standing for cceur, carreau, trefle , pique: il fait chaud or il y a du monde 
means “I have hearts”, as it starts with /I/. Things were no more subtle in 
English whist clubs in Victorian days; “Have you seen old Jones in the past 
fortnight?” would mean hearts, as it starts with /H/. The British team was 
suspected of exchanging signals at the world bridge championships in Buenos 
Aires in 1965—nothing could be proved, of course. 

Sometimes, a covert message can be transmitted masked in an innocent way 
by using circumstances known only to the sender and the recipient. This may 
happen in daily life. A famous example was reported by Katia Mann: In 
March 1933, she phoned from Arosa in Switzerland her daughter Erika in 
Munich and said: “/c/i weifi nicht, es muft dock jetzt bei uns gestdbert werden, 
es ist dock jetzt die Zeit ” [I don’t know, it is the time for spring-cleaning]. 
But Erika replied “Aem, nein, aufierdem ist das Wetter so abscheulich. Bleibt 
ruhig noch ein bissel dort, ihr versaumt ja nichts ” [No, no, anyway, the 
weather is so atrocious. Stay a little while, you are not missing anything 
here]. After this conversation, it became clear to Katia and Thomas Mann 
that they could not return to Germany without risk. 



Fig. 8. Tramps’ secret marks (German Zinken), warning of a policeman’s house 
and an aggressive householder (Central Europe, around 1930) 


Secret marks have been in use for centuries, from the itinerant scholars of 
the Middle Ages to the present-day vagrants, tramps, hoboes and loafers. 
Figure 8 shows a couple of secret marks, such as could still be seen in a 
provincial town of Central Europe in the 1930s; Fig. 9 shows a few used in 
the midwestern United States in the first half of the 20th century. Tiny 
secret marks are also used in engravings for stamps or currency notes as a 
distinguishing mark for a particular engraver or printer. 


o • 

good for a handout bad dog 

> -f 

not generous stay away 



police not hostile town is hostile 



police hostile plainclothes detectives here 


Fig. 9. Hoboes’ secret marks for ‘police not hostile’ and other messages 
(midwestern United States, first half of 20th century) 
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Languages specific to an occupation or social class, collectively known as jar¬ 
gon, above all the kinds used by beggars, vagabonds, and other rascals, vari¬ 
ously called argot (France, USA), cant (UK), thieves’ Latin (UK), rotwelsch 
(Germany), fourbesque (Italy), alemania (Spain), or calao (Portugal), and 
which serve to shield (and keep intact) a social group, often make use of 
masking. Masked secret writing is therefore called jargon code. 

The oldest papal code in the 14th century used Egyptians for the Ghibellines, 
and Sons of Israel for the Guelphs. One French code in the 17th century 
used jargon exclusively: Jardin for Rome, La Roze for the Pope, Le Prunier 
for Cardinal de Retz, La Fenestre for the King’s brother, L’Ecurie (meaning 
either stable or gentry) for Germany, Le Roussin for the Duke of Bavaria, and 
so on. A simple masking of names was used in a Bonapartist plot in 1831. 

The languages of the criminal underworld are of particular steganographic 
interest. French argot offers many examples, some of which have become 
normal colloquial usage: rossignol (nightingale) for skeleton key, known since 
1406; mouche (fly) for informer (‘nark’ in British slang), since 1389. Alliter¬ 
ative repetition is common: rebecca for rebellion, limace (slug) for lime (file), 
which in turn is fourbesque for shirt; marquise for marque (mole or scar), 
which in turn is alemania for a girl; frise (curly) for Fritz (a popular name 
for a German). Not quite so harmless are metaphors: chateau for hospital, 
mitraille (bullet) for small change, or the picturesque but pejorative mar- 
mite (cooking pot) for a pimp’s girlfriend, and sac a charbon (coal sack) 
for a priest. Sarcastic metaphors such as mouthpiece for a lawyer are not 
confined to the underworld. 

Some jargon is truly international: ‘hole’- trou— Loch for prison; ‘snow’ - neige 
- Schnee or ‘sugar’- sucre for cocaine; ‘hot ’-heifi for recently stolen goods; 
‘clean out ’- nettoyer- abstauben for rob; ‘rock’- galette - Kohle for money. 
All kinds of puns and plays on words find their place here. The British 
‘Twenty Committee’ in the Second World War, which specialized in double 
agents, took its name from the Roman number XX for ‘double cross’. 

Well-masked secret codes for more or less universal use are hard to devise and 
even harder to use properly—the practised censor quickly spots the stilted 
language. The abbot Johannes Trithemius (1462-1516), in his Poly graphics 
Libri, six books printed in 1508-1518 (Fig. 10), presented a collection of Latin 
words as codes for individual letters (Fig. 11), the Ave Maria cipher. “Head”, 
for example, could be masked as “ARBITER MAGNUS DEUS PIISSIMUS”. 
In fact, there were 384 such alphabets in the first book, to be used successive¬ 
ly—a remarkable case of an early polyalphabetic encryption (Sect. 2.3.3). 

It could be that present-day censors are not sufficiently well versed in Latin 
to cope with that. A favorite trick in censorship is to reformulate a message, 
preserving the semantics. In the First World War a censor altered a despatch 
from “Father is dead” to “Father is deceased”. Back came the message “Is 
father dead or deceased?” 
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Fig. 10. Title page (woodcut) of the first printed book on cryptography (1508) 


Allegorical language is of little help here. In Louis XV’s diplomatic service, 
Chevalier Douglas was sent on a secret mission to Russia in 1755 with an 
allegorical arsenal from the fur trade, with le renard noir etait cher for “the 
influence of the English party is increasing”, le loup-cervier avail son prix 
for “the Austrian party (under Bestuchev) retains its dominant influence”. 
Bestuchev himself, who was friendly to Prussia, was le loup-cervier , while 
une peau de petit-gris meant 3000 mercenaries in the pay of the British. 

It is to be hoped that the chevalier was more subtle in the use of his allegorical 
code than the German spies, in the guise of Dutch merchants, who—as told by 
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Fig.11. 

The first entries of 
Trithemius’ Ave Maria cipher 


A Deus 
B Creator 
C Condi tor 
D Opifex 
E Dominus 
E Dominator 
G Confolator 
H Arbiter 


A clemens 
B clementifsimus 
C pius 
D pijfsimus 
E magnus 
F excelfus 
G maximus 
H optimus 


Major-General Kirke—ordered cigars in batches of thousands from Plymouth 
one day, Portsmouth the next; then Gravesend and so on—1000 coronas 
stood for one battleship. Their inadequate system brought their lives to a 
premature end on July 30, 1915. Luck was on the side of Velvalee Dickinson, 
a Japanophile woman in New York City, who kept up a lively correspondence 
on broken dolls in 1944. Things came to light when a letter to an address in 
Portland, Oregon was returned, and the sender’s name turned out to be false. 
The lady really did sell exquisite dolls from a shop in Madison Avenue. Tech¬ 
nical Operations Division, the agency for detecting especially hard to find hid¬ 
den messages, and the FBI managed to produce evidence for the prosecution, 
but she got away with ten years in prison and a $ 10 000 fine. In the Audrey 
Hepburn movie of 1961 Breakfast at Tiffany’s, Miss Holly Golightly spent a 
night behind bars because she helped a gangster conduct his cocaine dealer¬ 
ship from his prison cell by means of “weather reports”—it did occur to her, 
she admitted, that “snow in New Orleans” sounded somewhat improbable. 

1.4 Cues 

The most important special case of masking, i.e., of a jargon-code message, 
concerns the use of a cue (French mot convenu), a prearranged phrase or 
verse to mean a particular message. The importance of the message is linked 
to the time of transmission; the message serves as an alarm or acknowledge¬ 
ment. Large numbers of messages were broadcast by the BBC to the French 
Resistance during the Second World War. It therefore attracted little atten¬ 
tion when some masked messages with an importance several orders of mag¬ 
nitude greater than the others were broadcast—for example, on June 1, 1944 
when the 9 o’clock news was followed by a string of “personal messages”, 
including the first half of the first verse of the poem Chanson d 'Automne by 
Paul Verlaine (translated: “The long sobs of the violins of autumn”); the 
second half (translated: “Wound my heart with a monotonous languor”) fol¬ 
lowed on June 5th. The German command structure had already in January 
1944 been informed by Admiral Canaris’ Abwehr of the jargon code and its 
significance. When the 15th Army picked up the expected cue (Fig. 12), Ger¬ 
man command posts were warned, but for reasons that have not been fully 
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Darstellung der Ereignisse 

(Dabei wichtig: Bcurtcilung der Lage [Fcind- und cigene], Eingangs- und Abgangs- 
zeiten von Meklungen und Befehlen) 

5.6.44 Am 1. , 2. 1106 3.6.44 iet durch die Rast innerhalb der 

"Messages personalise" der franzCeischen SeMungep^lef^ 

_britiechen Rundfunks f olgende Meldung abgehBrt _\yord.fiU-_i_ 

"Lea sanglots longs dee violons de l’automme "._ 

.. .. . Naoh vorhandenen_Unterlageh soli dieser Spcuch_.ani_l^ oder._ 

_15. eines Monate dureh gegaben werden, nur die erete H filfte 

_ ei nes ganzen Spruches da rst allen und a nklind-ig ar. t _ 

-M.oaea.^ StaiDden_ n a ch Ih ircbgabe der zweitea H&lfte dea— 

__ Spruches , gere.ch net v on 00.QQ Uhr dea auf die Burch sage _ 

folgenden Tages ab f die anglo-amerikanische Invasion be- 



ginnt.. 

21.15 Uhrj 

Zweite Eglfte dea Spruches "Blesssht mon coeur d'une longeui 
monotone’* vrird- durch Rest attgehBrt. 

21.20 Uhr 

Sprueh an Ic—AO durchgegebea. Danach mit Invaaionabeginn-.-. 
ab 6.6. 00.00 Uhr innerhalb 48 8tunden zu rechnen. 


iJberpriifung der Meldung durch Rflckfrage beim Militfcrbe- 

— 

fehlehaber JBelgiejy'Sordfrankreich in Briisael^ (-Maj or von. — 
Wangenheim ). 

22.00 Uhr 

Meldung an O.B. und Chef dea Generalstabes. 

22.15 Uhr 

Weitergabe gemfisB Feraechreiben ( Anlage 1 ) an General- 


kommando e._ Mundliche. Weitergabe_an l6, Flak-Division. 


Tag 

Uhrzeit 

Ort und Art der 
Unterkunft 


Fig. 12. Extract from a log kept by the 15th Army’s radio reconnaissance section 
(Lt. Col. Helmuth Meyer, Sgt. Walter Reichling). 

Here, automine is to be read automne , longeur is to be read langueur 


explained to this day the alarm did not reach the 7th Army, on whose part 
of the coast the invasion took place within 48 hours, on June 6, 1944. 

The Japanese used a similar system in 1941. For example, HIGASHI NO 
KAZE AME (east wind, rain), inserted into the weather report in the over¬ 
seas news and repeated twice, was used to announce “war with the USA”. 
The US Navy intercepted a diplomatic radio message to that effect on Novem¬ 
ber 19, 1941 and succeeded in solving it by the 28th. As tension mounted, 
numerous reconnaissance stations in the USA were monitoring Japanese ra¬ 
dio traffic for the cue. It came on December 7th—hours after the attack 
on Pearl Harbor—in the form NISHI NO KAZE HARE (west wind, clear), 
indicating the commencement of hostilities with Britain, which came as very 
little surprise by then. Perhaps the whole thing was a Japanese double cross. 

Technically, masked secret writing shows a certain kinship with enciphered 
secret writing (Sect. 2.2), particularly with the use of substitutions (Chap. 3) 
and codes (Sect. 4.4). 

In a different category are secret writings or messages veiled as open ones 
(invisibly concealed secret writing). Here, the message to be transmitted is 
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somehow embedded in the open, harmless-looking message by adding nulls. 
In order to be able to reconstruct the real message, the place where it is 
concealed must be arranged beforehand ( concealment cipher). There are two 
obvious possibilities for using garbage-in-between (Salomaa): by specifying 
rules ( null cipher, open-letter cipher) or by using a grille (French for ‘grat¬ 
ing’). 

1.5 Open Code: Veiling by Nulls 

Rules for veiled messages are very often of the type “the nth character after 
a particular character”, e.g., the next letter after a space (“family code”, 
popular among soldiers in the Second World War, to the great displeasure 
of the censors); better would be the third letter after a space, or the third 
letter after a punctuation mark. Such secret messages are called acrostics. 
A practised censor usually recognizes immediately from the stilted language 
that something is amiss, and his sharp eye will certainly detect what 

PRESIDENT’S EMBARGO RULING SHOULD HAVE IMMEDIATE 
NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW. 
STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW 
JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY 
means—a message intercepted in the First World War. 

If necessary, it can help to write out the words one below the other: 


I 
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S 
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E 

C 
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0 

R 






T 

R 

I 

G 

L 

E 

T 

H 

A 

C 

K 

N 

0 

W 

L 

EDGE 

T 

H 

E 






B 
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R 
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L 

L 




The disguise falls away; the plain text “jumps out of the page”. 

Sir John Trevanion, who fought on the Royalist side against Oliver Cromwell 
(1599-1658) in the English Civil War, saved himself from execution by using 
his imagination. In a letter from his friend R. T. he discovered the message 
“panel at east end of chapel slides”—and found his way out of captivity 
(Fig. 13). 

There is a story of a soldier in the US Army who arranged with his parents 
that he would tell them the name of the place he had been posted to by means 
of the initial letter of the first word (after the greeting) in consecutive letters 
home—from a cryptographic and steganographic point of view not such a bad 
idea. However, his cover was blown when his parents wrote back “Where is 
Nutsi? We can’t find it in our atlas.” The poor fellow had forgotten to date 
his letters. 
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Worthie Sir John: — Hope, that is ye beste comfort of ye afflicted, cannot 
much, I fear me, help you now. That I would saye to you, is this only: if 
ever I may be able to requite that I do owe you, stand not upon asking 
me. ’Tis not much that I can do: but what I can do, bee ye verie sure 
I wille. I kriowe that, if dethe comes, if ordinary men fear it, it frights 
not you, accounting it for a high honour, to have such a rewarde of your 
loyalty. Pray yet that you may be spared this soe bitter, cup. I fear not 
that you will grudge any sufferings; only if bie submission you can turn 
them away, ’tis the part of a wise man. Tell me, an if you can, to do 
for you anythinge that you wolde have done. The general goes back on 
Wednesday. Restinge your servant to command. R. T. 

Fig. 13. Message to Sir John Trevanion: panel at east end of chapel slides 
(third letter after punctuation mark) 

Acrostics have also been used to conceal slogans. The nationalistic Austrian 
mathematician Roland Weitzenbock, in the preface to his book Invarianten- 
theorie (Groningen 1928), wrote “nieder mit den Franzosen ” as an acrostic. 
The technique of acrostics even found its way into belletristic literature. In 
the classical acrostic, it was the initial letters, syllables, or words of succes¬ 
sive lines, verses, sections, or chapters which counted. Words or sentences 
(Fig. 14) were enciphered in this way, also author’s names, and even the 
addressee of invectives: ‘The worst airline’, ‘Such a bloody experience never 
again’. Acrostics also served as an insurance against omissions and insertions: 
an early example of the present-day parity checks or error-detecting codes. 
In a similar way, the chronogram conceals a (Roman) numeral in an inscrip¬ 
tion; usually it is a date; for example, the year when the plaque was erected: 
In the baroque church of the former Cistercian monastery Fiirstenfeld near 
Munich, in 1766 a statue of the Wittelsbachian founder Ludwig der Strenge 
(1229-1294) was placed, below which there is a tablet with the chronogram 
LVDoVICVs seVerVs DVX baVarVs aC paLatlnVs, 
hIC In sanCta paCe qVIesCIt. 

(Ludwig the Severe, Duke of Bavaria and Count Palatine, rests here in holy peace.) 

If the chronogram consists of a verse, then the technical term is a chrono- 
stichon—or chronodistichon for a couplet. 

Composers have concealed messages in their compositions, either in the notes 
of a musical theme (a famous example 2 is B A C H), or indirectly by means of 
a numerical alphabet: if the i-tli note of the scale occurs k times, then the k -th 
letter of the alphabet is to be entered in the /'-tli position. Johann Sebastian 
Bach was fond of this cipher; in the theme of the organ chorale ‘ Vor deinen 
Thron ’, written in 1750 in the key of G major, g occurs twice (B), a once (A), 
b three times (C), and c eight times (H). 

Nulls are also used in many jargons: simply appending a syllable (parasitic 
suffixing) is the simplest and oldest system. In French, for example, 

2 In German, b is used for b flat, h for b. In G major, g is first, a second, h third, etc. 
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floutiere for flou , argot for ‘go away!’; girolle for gis, argot for ‘yes’; 
mezis for me; icicaille for id 

and there are hundreds of similar forms. Cartouche (18th century) has 
vousierge trouvaille bonorgue ce gigotmouche 
where the nulls are underlined. 

Fast writing method 

He must have had a special trick, said Robert K. Merton, for he 
wrote such an amazing quantity of material that his friends were 
simply astonished at his prodigious output of long manuscripts, 
the contents of which were remarkable and fascinating, from the 
first simple lines, over fluently written pages where word after 
word flowed relentlessly onward, where ideas tumbled in a riot 
of colorful and creative imagery, to ends that stopped abruptly, 
each script more curiously charming than its predecessors, each 
line more whimsically apposite, yet unexpected, than the lines 
on which it built, ever onward, striving toward a resolution in 
a wonderland of playful verbosity. Fuller could write page after 
page so fluently as to excite the envy of any writers less gifted 
and creative than he. At last, one day, he revealed his secret, 
then died a few days later. He collected a group of acolytes and 
filled their glasses, then wrote some words on a sheet of paper, 
in flowing script. He invited his friends to puzzle a while over 
the words and departed. One companion took a pen and told the 
rest to watch. Fuller returned to find the page filled with words 
of no less charm than those that graced his own writings. Thus 
the secret was revealed, and Fuller got drunk. He died, yet still a 
space remains in the library for his collected works. 

Ludger Fischer / J. Andrew Ross 

Fig. 14. Self-describing acrostic 


Tut Latin, a language of schoolchildren, inserts TUT between all the sylla¬ 
bles. Such school jargons seem to be very old; as early as 1670 there are 
reports from Metz (Lorraine) of a ‘stuttering’ system, where, for example, 
undreque foudreque stood for un fou. 

The Javanais language is also in this class: 

jave for je; layeblayanc for le blanc; nay on for non; 
chayaussayuraye for chaussure. 

Other systems use dummy syllables with duplicated vowels, such as B talk 
in German: 

GABARTEBENLAUBAUBEBE for gartenlaube (bower) 
or Cadogan in French: 

CADGADODGQGADGAN for cadogan. 

Joachim Ringelnatz (1883-1934) wrote a poem in Bi language (Fig. 15). 
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Gedicht in Bi-Sprache 

Ibich habibebi dibich, 

Lobinebi, sobi licbib. 

Habist aubich dubi mibich 
Licbib! Ncibin, vebiigibib. 

Fig. 15. 

Poem in the Bi language 
by Joachim Ringelnatz 


Nabih obidebir febitn, 
Gobitt scibi dibir gubit. 
Meibin Hebira habit gebirn 
Abin dibir gebirubiht. 


Simple reversing of the letters, called back slang, occurs in cant: OCCABOT for 
‘tobacco’, KOOL for ‘look’, YOB for ‘boy’, SLOP for ‘police’. Permutation 
of the syllables is found in the French Verlan (from I’envers): NIBERQUE for 
bernique (“nothing doing”, said to be related to bernicles, tiny shells); LON- 
TOU for Toulon, LIBRECA for calibre (in the sense of a firearm); DREAUPER 
for perdreau (partridge, to mean a policeman); RIPOU for pourri (rotten); 
BEUR for rebeu (Arab). More recent are FECA for cafe , TECI for cite. 

More complicated systems involve shuffling the letters, i.e., a transposition 
(Sect. 6.1). Criminal circles were the origin of the Largonji language: 
leude for deux [francs]; linve for vingt [sous]; laranque for quarante [sous]; 
with the phonetic variants 

linspre for prince (Vidocq, 1837); lorcefee for La Force, a Paris prison; 
and of the Largonjem language: 

lonbem for bon (1821); loucherbem for boucher ; olrapem for opera (1883). 
The name Largonji is itself formed in this way from ‘jargon’. 

A variant with suppression of the initial consonant is the Largondu language: 
lavedu for cave', loquedu for toque', ligodu for gigo(t). 

Similar formation rules lie behind the following: 
locromuche for maquerau (pimp) ; leaubiche for beau', 
nebdutac for tabac (1866); licelargu for cigare (1915). 

These systems also have parallels in East Asia (Hanoi’, Haiphong). Pig 
Latin, another school language, puts AY at the end of a cyclically permu¬ 
ted word: third becomes IRDTHAY. Cockneys have a rhyming slang with nulls: 
TWIST AND TWIRL for girl, JAR OF JAM for tram, BOWL OF CHALK for talk, 
FLEAS AND ANTS for pants, APPLES AND PEARS for stairs, BULL AND COW 
for row, CAIN AND ABEL for table, FRANCE AND SPAIN for rain, TROUBLE 
AND STRIFE for wife, PLATES OF MEAT for feet, LOAF OF BREAD for head. 
The actual rhyming word is usually omitted—the initiated can supply it 
from memory. Some of these expressions have entered the language (lexical- 
ization): few people are aware of the origin of “use your loaf” or “mind 
your plates”. 

Jonathan Swift (1667-1745) was not overcautious in his Journal to Stella, 
who in fact was Esther Johnson (1681-1728): in a letter on Feb. 24, 1711 he 
merely inserted a null as every second character. 
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And there was mounting in hot haste the steed. 
The mustering squadron and the clattering car, 
And swiftly forming in the ranks of war; 

And deep the thunder peal on peal afar; 

And near, the beat of the alarming drum 
Roused up the soldier ere the morning star 
While thronged the citizens with terror dumb 
Or whispering, with white lips, — ‘ the 
foe! they come, they come!' 


mustering squadron 
forming 


ranks I 


warl 


near 


Fig. 16. Lord Byron’s hypothetical message 


1.6 Open Code: Veiling by Grilles 

The method of the grille, which goes back to Geronimo Cardano (in De 
Subtilitate, 1550, is simple to understand, but suffers from the disadvantage 
that both sides must possess and retain the grille—in the case of a soldier 
in the field or a prisoner, not something that can be taken for granted. It is 
also awfully hard to compose a letter using it. If Lord Byron (1788-1824)— 
admittedly no ordinary soldier—had used the method, his talents would have 
come in extremely handy for composing a poem such as that in Fig. 16. He 
would presumably also have been able to lay it out so attractively that the 
plain text fitted the windows of the grille without calling attention. 

Cardano, incidentally, insisted on copying out the message three times, to 
remove any irregularities in the size or spacing of the letters. The method 
was occasionally used in diplomatic correspondence in the 16th and 17th 
centuries. Cardinal Richelieu is said to have made use of it. The modern 
literature also mentions some more cunning rules; for example, to convey 
binary numbers (in turn presumably used to encipher a message), in which a 
word with an even number of vowels represents the digit 0, or an odd number 
the digit 1. 
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Veiled secret writing is a concealment cipher. In professional use, it is usually 
considered as enciphered secret writing (Sect. 2.2), it shows a certain kinship 
particularly in the use of nulls (Sect. 2.3.1) and of transposition (Sect. 6.1.4). 

Cryptography 
(secret writing) 


Sect. 2.2 

Steganography Cryptography proper 

(covert secret writing) (overt secret writing) 


Technical Linguistic 

Steganography Steganography 


Sect. 1.2 

Semagrams Open code 

(visibly concealed (invisibly concealed 

secret writing) secret writing) 


Sect. 1.3 

Jargon code Concealment cipher 

(masked (veiled 

secret writing) secret writing) 


Sect. 1.4 Sect. 1.5 Sect. 1.6 

Cue Null cipher Grille 

Fig. 17. Classification of steganographic and cryptographic methods 

1.7 Classification of Cryptographic Methods 

Figure 17 shows a diagrammatic summary of the classification of methods of 
steganography and cryptography proper as given in this and the next chapter. 
Masking and veiling have been treated in detail here because they provide 
a methodical guide: masking leads to substitution, veiling leads to transpo- 
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sition. These are the two basic elements of cryptography proper. We shall 
introduce them in the next chapter. 

Steganography also reveals an important maxim: natural language—spoken, 
written, or in gestures—has its own particular rules, and it is even harder 
to imitate them (as in steganography) than to suppress them (as in crypto¬ 
graphy). 

Linguistic steganography is therefore treated with caution by pure crypto¬ 
graphers; it is a censor’s job to combat it. By its very nature, an amateur 
steganogram can be rendered harmless by suppressing or revealing it. For the 
censorship, the actual solution is often of little importance (except, perhaps, 
to provide evidence for a subsequent court case). 

The professional use of linguistic steganography can be justified only in 
special cases—unless it represents a concealment of a cryptographic method. 
Steganography and cryptography proper fall un¬ 
der the concept of cryptology. The term cryptolo- 
gia was used, like cryptographia , by John Wilkins 
in 1641, to mean secrecy in speech. In 1645, ‘cryp¬ 
tology’ was coined by James Howell, who wrote 
“cryptology, or epistolizing in a clandestine way, 
is very ancient”. The use of the words cryptogra¬ 
phy, cryptographic, crittografia, and Kryptographie 
has until recently dominated the field, even when 
cryptanalysis was included. 

Claude Shannon, in 1945, still called his confi¬ 
dential report on safety against unauthorized de¬ 
cryption A Mathematical Theory of Cryptogra¬ 
phy. Within book titles, the French cryptologue 
was used by Yves Gylden (1895-1963) in 1932 and in more modern times 
cryptologist by William F. Friedman (1891-1969) in 1961. The term cryp¬ 
tology showed up in the title of an article by David Kahn in 1963; it was 
used internally by Friedman and Lambros D. Callimahos (1911-1977) in the 
1950s. With Kahn’s The Codebreakers of 1967, the word ‘cryptology’ was 
firmly established to involve both cryptography and cryptanalysis, and this 
is widely accepted now. 

With the widespread availability of sufficiently fast computer-aided image 
manipulation, steganography nowadays sees a revival. By subtle algorithms, 
messages can be hidden within pictures. 



Claude Shannon (1916-2001) 
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Nearly every inventor of a cipher system 
has been convinced of the unsolvability 
of his brainchild. 

David Kahn 

A survey of the known cryptographic methods is given in this chapter from 
the point of view of securing 1 established channels of communication against 
(passive) eavesdropping and (active) falsification (ISO 7498). Security against 
breaking the secrecy in the sense of confidentiality and privacy is the classic 
goal, whereas security against forgery and spurious messages, that is to say 
authentication of the sender, has only recently acquired much importance. 

Besides mathematical questions, philological ones play an important part in 
cryptology. A kindred topic is the unambiguous decryption of ancient scripts 
in extinct languages 2 , an appealing field bordering on both archaeology and 
linguistics. Plate A shows an example, the disk of Phaistos. 

2.1 The Nature of Cryptography 

The objective of cryptography is to make a message or record incomprehen¬ 
sible to unauthorized persons. This can easily be overdone, thereby making 
the message indecipherable to the intended recipient—who has not experi¬ 
enced being unable to read a hastily written note a few weeks (or even days) 
later? 

Seriously speaking, it is fatal if an encryption error is made or if radio com¬ 
munications have been garbled or corrupted by atmospheric disturbances. 
Any attempt to re-encipher and retransmit the same message—correctly, this 
time—represents a serious security risk for reasons to be discussed in Chap¬ 
ter 11 and Part II. Therefore, encryption discipline forbids this strictly; the 
text has to be edited, without altering the content, of course. This is easier 
said than done—the road to doom is usually paved with good intentions. 

1 Since the discoveries of Shannon and Hamming in about 1950, mere garbling and cor¬ 
ruption of communication channels by physical or technical means has been countered 
by error-detecting and error-correcting codes, which need not be considered here. 

2 Johannes Friedrich, Extinct Languages, New York 1957. 
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2.1.1 Secrecy. Thus, the encryption and decryption method must not be 
too complicated: it must be appropriate to the intelligence and situation of 
the people who have to use it. The lowest standards apply on the battlefield. 
Immediately after that comes the field of diplomacy, at any rate if the ambas¬ 
sador is expected to carry out the encryption and decryption himself. When 
Wheatstone demonstrated the method now known as PLAYFAIR (Sect. 4.2) 
at the British Foreign Office in 1854, saying that three out of four boys from 
the nearest school could master it, the Under-Secretary of State remarked 
drily “that is very possible, but you could never teach it to attaches!” 

It should also be borne in mind that many messages need be kept secret 
only for as long as the events they refer to have not in any case become 
public knowledge. Admittedly, it may be wiser to keep diplomatic messages 
secret for decades afterwards. The British—not to mention the Russians— 
are unsurpassable in this respect, as is the veil of secrecy which they cast over 
their entire cryptographic system. At any rate, we need only know how long, 
at least, a cryptanalyst must work on a message to read it—to break the 
cipher—and then it becomes pointless to maintain that a particular method 
is absolutely secure. A trench code used by the Germans on the Western 
Front in 1917 (known by the French as KR.USA, because all the code groups 
began with one of these five letters) was based on ‘planned obsolescence’. 
The code sequence changed every month, but the French did better: they 
had usually worked it out after two weeks—often after only two days. 

However, a quantitative assessment of encryption methods was only made 
possible by the pioneering ideas of Claude E. Shannon (see Appendix). The 
suitability of the various methods was still very imperfectly understood in 
the First World War, as was shown when Le Matin revealed in 1914 that the 
French were reading German messages. The German General Staff made a 
sudden and radical change to its encryption system on November 18th. The 
change from a double columnar transposition (Sect. 6.2.4) to a VIGENERE 
with key ABC (Sect. 8.1.2) and subsequent simple columnar transposition 
was a complication illusoire (illusory complication) for the French decryptors. 
Evidently the lovers, who used to declare their feelings for each other in 
coded messages in the ‘personal’ columns of British newspapers about 1850, 
had every confidence in their cryptosystem. Eavesdropping on these mes¬ 
sages provided pleasure for a section of London society; this included Charles 
Babbage and also Charles Wheatstone and Lyon Playfair, who broke into one 
such correspondence with a suitable message of their own, thus prompting 
the reaction “Dear Charlie: write no more. Our cipher is discovered.” from 
the young lady. Incidentally, in spite—or possibly as a result—of Shannon’s 
commendable elucidation, coded messages are said to be a regular feature of 
the ‘agony columns’ to this day. 

Another lady was greatly impressed by a man to whom she had given an 
enciphered recipe for making gold; she alone knew the key. The man not 
only informed her that he had deciphered it, but also told her the key word. 
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He must be a magician, she thought. As he could 
obviously read her mind, it was best to give him the 
key to her heart. The year was 1757, she was the af¬ 
fluent Madame d’Urfe , and the cavalier (who aban¬ 
doned her soon afterwards) was Giacomo Girolamo 
Casanova, Chevalier cle Seingalt, whose cryptana- 
lytical zeal is evidently not sufficiently well known. 

Marie Antoinette also knew how to combine love 
with cryptography, as did King Edward VUI (the 
later Duke of Windsor). Besides its diplomatic and 
military uses, cryptography thus has its private and civil applications, not 
to mention the commercial ones, such as bookseller’s price cipher, or the 
packaging date for butter (Sect. 3.1.1), or the markings on car tires (Fig. 18). 




(10) brand name 

(13) DOT = Department of Transportation 
(the US transport ministry) 

Fig. 18. 

Coding system for car tires 


Tire marks 

(1) tubeless 

(2) 175 is the width of the tire in mm 
S stands for speed 

(up to 180 km/h in the case of summer tires) 

R means radial plies (omitted for crossply tyres) 
14 is the diameter of the wheel rim in inches 

(3) TWI = tread wear indicator 

(six ribs which appear in the tread pattern 
when it has worn down to 1/16 inch) 

(4, 5) additional markings for Europe: 

88 is the (coded) maximum load per wheel 
S again means 180 km/h 

(6) sidewall consists of two layers of rayon fibres 

(7) tread has two layers of steel and two of rayon 

(8) maximum cold inflation pressure 
(applies to USA only) 

(9) maximum load per wheel 
(applies to USA only) 

(11, 12) tested to European standards 

4 is the country where the test took place 
(in this case Holland). 

(14) manufacturer’s codes: 

LM = factory; J3 = size; MEB = type; 

344 = date (34th production week of 1974) 


There are some amusing stories about the supposed unbreakability of ciphers. 
Over-assessment of one’s own cleverness is a regular source of advantage to the 
opposing side. Sometimes the exaggeration is the work of others. It was said 
of Paul Schilling von Cannstatt, one of the inventors of the electromagnetic 
telegraph (1832), that “for the Russian ministry he compiled such a secret 
alphabet, the so-called chiffre, that even so ingenious a secret cabinet as the 
Austrians possessed could not have penetrated it in fifty years” (F.P. Fonton, 
after A.V. Jarozkij). And as late as 1917, the respected periodical Scientific 
American declared Vigenere’s method (Sect. 7.4.1) to be unbreakable. 
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It was an ironic twist of fate that Etienne Bazeries, the great French crypto- 
logist (1846-1931), who shattered a whole series of supposedly unbreakable 
cryptosystems that had been presented to the French security agency, was 
himself presumptuous enough to believe he had found an absolutely se¬ 
cure method (je suis indechiffrable, see Fig. 19). His antagonist the Mar¬ 
quis de Viaris—the first modern cryptologist, incidentally, to make use of 
mathematics—derived no small pleasure in taking his revenge by breaking 
several ciphers which Bazeries sent him (Sects. 7.5.3, 14.3.1). 



Fig. 19. Bazeries’ cylinder with the message je suis indechiffrable 

2.1.2 Costs. The invention and financial exploitation of enciphering and 
deciphering machines is a lucrative branch of cryptography. Until the 19th 
century they were mechanical; from the beginning of the 20th century au¬ 
tomation made its appearance, around the middle of the century came elec¬ 
tronics and more recently microelectronic miniaturization. Towards the end 
of 1939, Konrad Zuse, the 30-year old German computer pioneer, stationed as 
an infantryman on the Siegfried Line , also invented an enciphering machine, 
an attachment to a teleprinter. He was not able to persuade the German War 
Office of the advantages of his invention, which used the Vernam principle 
(Sect. 8.3); he was given to understand that the authorities already possessed 
good equipment of a similar nature. They were referring to Lorenz SZ40 and 
Siemens T 52, not to ENIGMA, as Zuse in 1984 incorrectly assumed. 
Today’s microcomputers— roughly the size, weight, and price of a pocket 
calculator—have a performance as good as the best enciphering machines 
from the Second World War. That restores the earlier significance of good 
methods, which had been greatly reduced by the presence of ‘giant’ computers 
in cryptanalysis centres. More than that, a normal commercial microcom¬ 
puter costing about 8100—not to mention a PC—can carry out a much more 
complex encryption than the classic machines were capable of. 

In assessing a method based on any kind of documentation and encryption 
apparatus, it must be borne in mind that such objects could fall into the 
opponent’s hands (Shannon’s maxim, Sect. 11.2.3). A microcomputer fed 
with a program or data on magnetic card possesses no telltale cryptographic 
structure of its own—except, possibly, an alphabetic keyboard and display. 
In the case of the public keys propagated for commercial communication links, 
even the encryption and decryption methods are published. It is only the 
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key for decryption which remains secret. Shannon’s maxim “The enemy 
knows the system” is thus carried to extremes. At the same time, the increas¬ 
ing use of public communications channels has led to authentication becoming 
as much a declared objective of cryptography as secrecy is (Sects. 10.5, 10.6). 

2.1.3 Cryptology and literature. Cryptological techniques are occa¬ 
sionally used in literature. Intricately woven literary works such as Zettels 
Traum (1970) by Arno Schmidt (1914-1979) just ask to be ‘decrypted’. Os¬ 
tensibly secret messages represent a particular problem. In La physiologie du 
manage (1829), Honore de Balzac has this passage: “La Bruy ere a dit tres 
spirituellement: ‘C’est trop contre un mari que la devotion et la galanterie: 
une femme devrait opter. ’ L’auteur pense que La Bruy ere s’est trompe. En 
effet: ---. ” What then follows is a higgledy-piggledy jumble of letters, as if 
a type-case had been spilt on the page. Four editions of the book, three of 
them printed in Balzac’s lifetime, in fact contain four different versions. The 
author must have been playing a practical joke on the reader. Nevertheless, 
Bazeries investigated such a cryptogram in 1901 and found that it did not fit 
any known scheme; it was une facetie de l’auteur. 

There was much ado in 1878 when Ignatius Donelly, an American provincial 
politician and imaginative pseudo-scientist who had already speculated on 
Atlantis and a collision between the Earth and a meteor, set about finding 
steganographic proof in the works of Shakespeare that the author was in 
fact Sir Francis Bacon (Georg Cantor, the founder of modern set theory, also 
hunted this chimaera for many years). Now if you take a long enough text, 
and declare enough characters as irrelevant (perhaps also permuting the ones 
that remain), then you can read anything into it—Lord Byron’s hypothetical 
message in Sect. 1.6 could serve as an example. So Donelly was apparently 
successful. A flood of amateurs joined in the search. None of this would have 
been very remarkable, had not a certain William Frederick Friedman 3 , who 
had studied genetics, been hired by a rich textile merchant in Geneva near 
Chicago, Colonel George Fabyan. Besides funding laboratories for biology, 
chemistry, and acoustics, Fabyan employed cryptologists who were supposed 
to prove that Bacon was Shakespeare. Friedman was attracted by cryptology 
and also by Elizebeth Smith, a young cryptologist working there. He espoused 
himself to both, and became the most successful American cryptologist. 

2.1.4 Deception. The official cryptological services in the 20th century 
go by mysterious-sounding names, in keeping with the spirit of the times. 
They are usually embedded in the secret services concerned with counter¬ 
espionage and intelligence-gathering beyond their own borders. Most famous 
are M.I.6, the British Secret Intelligence Service (S.I.S.) which is directly an¬ 
swerable to the Foreign Office; and in the USA since 1947 the Central Intelli¬ 
gence Agency (CIA), subordinate to the US Intelligence Board and therefore 


3 Born Wolfe Friedmann in Kishinev (Moldavia) on Sept. 24, 1891. The family emigrated 
to the USA the following year. He died on Nov. 2, 1969 and was buried in Arlington. 
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controlled by legislatives and executives. Post-war Germany has its Bun- 
desnachrichtendienst (BND), directly answerable to the Chancellor’s Office. 
The actual cryptological services, especially the departments for cryptanal¬ 
ysis, are frequently divided into diplomatic and military parts. That may 
have good organizational reasons, but it often hinders the exchange of expe¬ 
rience. In wartime Britain, the Admiralty (O.I.C., Operational Intelligence 
Centre) and the Foreign Office (Department of Communications) were forced 
into close cooperation by the desperate situation in 1940; Winston Churchill 
chipped in and set up a powerful authority in the form of the London Control¬ 
ling Section (L.C.S.), headed by Colonel John Henry Bevan and directly an¬ 
swerable to the Prime Minister. Responsibility for cryptanalysis was held by 
M.I.8 (Signals Intelligence Service) and its G.C.H.Q. (Government Commu¬ 
nications Headquarters), with various nicknames, some of them with histor¬ 
ical significance: G.C. &C.S. ( Government Code and Cypher 4 School , ‘Golf 
Cheese and Chess Society’, ‘War Station’, ‘Station X’ (the wireless station), 
‘Room 47 Foreign Office’; it was also often called B.P. (Bletchley Park), after 
the place at Milton Keynes, 45 miles northwest of London, where it was 
housed from 1939. Even within B.P. a certain distinction was maintained 
between A.I. (Air Intelligence) and M.I. (Military Intelligence) on the one 
hand, and the Navy, steeped in tradition, on the other. Both looked back on 
their successes in the First World War, gained by M.I.1(b) (Military Intelli¬ 
gence Division) of the War Office and Room 40 at the Admiralty. Postwar 
G.C.H.Q. is located at Cheltenham, Gloucestershire, 90 miles west of London. 
After the United States entered the First World War in 1917, rapid expan¬ 
sion of military cryptology became necessary. As part of the AEF (American 
Expeditionary Forces), G.2 A.6 (General Staff, Intelligence Section, Military 
Information Division, Radio Intelligence Section) and the Code Compilation 
Section of the Signal Corps found themselves under the supervision of MI-8 
(Cryptological Section of Military Intelligence Division), headed by Herbert 
Osborne Yardley (1889-1958). Rivalry between the Army and the Navy, lead¬ 
ing to a bizarre split, continued throughout the Second World War: OP-20-G 
was the naval cryptological organization with its cryptanalysis department 
OP-20-GY, while SIS (Signal Intelligence Service) was the army counterpart 
which Yardley had built up and which had been headed by William Friedman 
since 1929. The experience gained in the Second World War led to a concen¬ 
tration of resources within G.2: the Army Signal Security Agency merged 
with the cryptanalysis department of the Signal Corps in 1945 to produce 
the ASA (Army Security Agency), then in 1949 the AFSA (Armed Forces 
Security Agency), and in 1952 the NSA (National Security Agency) under 
the Secretary of Defense, led 1977 1981 by the legendary Bobby Ray Inman. 
Important subdivisions are the Defense Intelligence Agency and IDA, the 
Institute for Defense Analysis, which is freer and loosely connected to some 
universities. NSA is located on Fort George G. Meade in Maryland. 

4 Cypher is an older form of cipher , still current in Great Britain. 
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In the German Reich, too, the services were split and some rivalry occurred: 
the Auswartiges Amt (foreign office) on the one hand, and the army and navy 
on the other, received further competition in the Second World War from 
the Reichsluftfahrtministerium and the Sicherheitsdienst (SD, “security ser¬ 
vice”). Lieutenant-Colonel, later Colonel, Erich Fellgiebel (1886 1944), who 
became in 1929 head of the Chiffrierstelle (cipher bureau) of the Reichswehr- 
ministerium , was instrumental in introducing in 1934 a common enciphering 
machine, the ENIGMA; but the coordination of all operations, which the 
war-time OKW/ Chi, the Signal Intelligence Agency (‘Cipher Branch’) of the 
Supreme Command, Armed Forces, constantly demanded, was still blocked 
in the autumn of 1943 by Ribbentrop, Goring, and Himmler. When coordina¬ 
tion by WNV/ Chi (Amtsgruppe Wehrmachtnachrichtenverbindungen, Abtei- 
lung Chiffrierwesen) was finally achieved by order of the Fiihrer of November 
9, 1944, intelligence was firmly in the hands of Walter Schellenberg (1910- 
1952), who was ambitious and always feigned devotion to his leaders Himm¬ 
ler and Hitler, and advanced to Major-General in the SS. He died of a liver 
complaint after serving a sentence of only six years passed by the Nuremberg 
tribunal—the fashion designer Coco Chanel paid his funeral costs. 

In post-war Germany, in 1953, an authority was established in Bad Godesberg 
near Bonn whose cover name— Bundesstelle fur Femmeldestatistik (Federal 
Office for Telecommunications Statistics)—was something of an understate¬ 
ment. In fact, it was a cryptanalytical subdivision of BND; its true name was 
Zentralstelle fiir das Chiffrierwesen (Central Office for Cryptology). A re¬ 
organization ( ‘Amt fiir Militdrkunde ’) took place in 1990 by splitting off the 
BSI, which deals with questions of public cryptography. 

In France, 2 bls (a street number in the Avenue de Trouville) was the nom 
de guerre for the S.R. ( Service de Renseignement) with its cryptanalytic bu¬ 
reau ( section de transmission et decryptement). The Swedish cryptanalytical 
agency was known by the abbreviation FRA ( Forsvarets Radioanstalt), while 
in Italy it was S.I.M ( Servizio Informazione Militare). In Japan, Tokumu 
Han (espionage department) is the name for the cryptanalytical department 
of the admiralty staff intelligence group, set up in 1925, and Ango Kenkyu 
Han (cipher research department) for that of the foreign ministry. 

Spets otdel (‘Special Department’) was the name of the cryptographical and 
cryptanalytical service of the Union of Soviet Socialist Republics, established 
in 1921 by orders of Vladimir Ilyich Lenin and for some time under the 
command of Lev Davidovich Trotzki. 

2.2 Encryption 

To summarize: cryptology is the science of (overt) secret writing (crypto¬ 
graphy), of its unauthorized decryption (cryptanalysis), and of the rules 
which are in turn intended to make that unauthorized decryption more dif¬ 
ficult (encryption security). Plaintext is the message that will be encrypted. 
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2.2.1 Vocabulary, character set. The set of characters, V, used to for¬ 
mulate the plaintext 5 is called the plaintext vocabulary or plaintext character 
set. The set of characters, W, used to formulate the ciphertext or codetext is 
called the cryptotext vocabulary or cryptotext character set. The individual 
characters in W can also be logograms, special symbols representing a word 
or phrase, such as &, %, $, £, ©; moreover f , $, ^[, #, @, p, £, H; and other 
symbols. V and W can be fully different, or overlapping, or identical sets. 

2.2.1.1 Let V*, W* be the set of words constructed from V, W (plain¬ 
text words, cryptotext words), e indicates the empty word. Z n C Z * is the 
set of all words of length n ; Z^ denotes {s} U Z U Z 2 U Z 3 ... U Z n . 
V* is called the plaintext space, W* the cryptotext space . 

2.2.1.2 In all practical cases, V and W are nonempty finite sets. Theoret¬ 
ically, however, we could allow denumerable sets V and W ; then V n and 
W n are also denumerable. 

2.2.2 Encryption and decryption. An encryption is defined as a relation 

X : V* ->- W* . The converse relation X -1 : V* -t- W* , defined by 

x -4—i y if and only if x i—>- y , is then called a decryption. 

2.2.2.1 The intended recipient of an encrypted message should be able to re¬ 
constitute the original message without ambiguities. An encryption therefore 
as a rule is injective, i.e., unambiguous from right to left ( left-univalent ): 

(.x z) A (■y h-y z) => (x = y) 

We define H x = {y € W* : x y} as the fiber of x £ V* . 

As a rule it is also a requirement that the encryption X be definal, that is to 
say total (from left to right): H x is nonempty for all x € V* . 

2.2.2.2 The encryption X : V* -y W* is implemented by means of 

Hilbert’s non-deterministic ‘choice operator’ ry, where X(x) = yHx ■ The ele¬ 
ments of 7i x (assuming there are more than one) are called variants, also 
homophones of x . Thus, variants are different cryptotext words assigned to 
the same plaintext word in the encryption relation X : V* -y W* . 

If the relation V* -y W* is also unambiguous from left to right ( right- 

univalent ), i.e., fix contains at most one element for all x € V* , then the 

encryption is functional, V* -y W* is a function V* -y W*. If in addition 

the relation is surjective, that is to say total from right to left, then the 
encryption even becomes a one-to-one function V* -<—y W* . 

In the functional case there are no variants; the encryption is deterministic 
and thus a one-to-one mapping of plaintext space into cryptotext space. 

2.2.2.3 As a rule, e i-^ e . If H e also contains elements other than e which 
are homophones for e G V* , these are called null texts or dummy texts. 

Note that the set of all encryptions V* -y W* (in the case of fixed 

nonempty V, W) is non-denumerable. 


5 In contrast to cleartext (‘Klartext’), which means a text transmitted without encryption. 
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2.2.3 Inductive definitions. An encryption X : V* -y W* is said 

to be finite if the set of all pairs in the relation is finite. Then for suitable 
natural numbers n , m we have X : ->- W("*) . 

But how can a relation V* -y W* be defined and specified? Even if it is 

finite, it may very well not be practicable to list all the pairs. For that reason, 
inductive rules are frequently used. This is studied in the next paragraph. 


2.3 Cryptosystems 


Let M = M ( V. IT,X), the encryption system, be a nonempty, as a rule finite 
setX={xo, Xi> X 2 ,---i Xe-i} of (injective) relations \i '■ 

Each Xi is called an encryption step. An encryption system together with a 
corresponding decryption system is a cryptosystem. 

An encryption X = [ y u , , ... ] is called finitely generated (by 

means of the encryption system M ), if it is induced by a (terminating or in¬ 
finite) sequence (y u , \i 2 > X *3 > • • •) of encryption steps y* G X under 
the concatenation . * . , i.e., 

xv- ^ y holds for x £ V* , y £ W* if and only if there exist decompositions 
x = Xi * X 2 * X 3 -k .. ,-kXk and y = y\ * t /2 * V 3 * • • • * Vk with 6 

Xi, 

Xj y-y yj for j = 1 , 2 , ... k . 


Example: 

Xi ■ -y- : cyclic transposition of n* elements (9 = 5) ; 

no = 3, n\ = 5, n 2 = 2, = 6 , n 4 = 6 , 


nearlyeveryinventorofa 
eanlyevr re invenyorofat 


(Xo, Xl) X 2 , X3, X4) 


2.3.1 Basic concepts. 6 = \M\ denotes the cardinal number of the en¬ 
cryption system. An encryption step Xi '■ V < - ni ' > -y is a generating 

relation; the number n, is called the (maximal) plaintext encryption width, 
the number ?n,; the (maximal) crypt width of Xi ■ The relation Xi may be 
nondeterministic. The encryption step is said to be endomorphic if V = W . 

Speaking of homophones and variants (also optional substitutes, multiple 
substitutes) and of nulls (also dummies, French nonvaleurs , German Blender, 
Blindsignale, Trugchiffren) , usually those of the encryption step are meant. If 
the cryptotext character set of the encryption step contains words of different 
length, the encryption step is called “straddling” (German gespreizt). 

A generated encryption is not necessarily injective, even if the generating 
encryption steps are: 


Every x E V* is taken to be suitably filled up by meaningless symbols. 
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Assume a i—>- • - 

i i—>- • • 

1 h-s- • 

belong to an injective V 1 -v W^ , then in V* ->- W* 

ai i—v - and 1 i—v - ; 

this means that injectivity is violated (by sloppy radio operators). 

2.3.2 Ciphering and coding. An encryption step \i '■ V^ ni ^ ->- W ( m >) 

is by its very nature finite, provided V and W are finite; it can be specified 
in principle by enumeration (encryption table). An actual enumeration is 
often called a code or cipher (French chiffre ); the encryption step is then 
called the encoding step or enciphering step. The terminological boundary 
between ‘cipher’, ‘encipher’, ‘decipher’ and ‘code’, ‘encode’, ‘decode’ is fuzzy 
and essentially determined by historical usage (see also Sect. 4.4). The terms 
‘cipher’ and ‘code’, and more generally ‘crypt’, are also used for the elements 

of W( mi '>. 

2.3.2.1 An encryption X = [xp , Xi 2 > Xi 3 » • ■ •] > finitely generated by M, 
is called monoalphabetic if it comprises or uses a single encryption step (‘al¬ 
phabet’). Otherwise it is called polyalphabetic. If M is a singleton (0 = 1), 
then every encryption generated by means of M is monoalphabetic. 

2 .3. 2.2 A finitely generated encryption is said to be monographic if all the 
rii of the encryption steps used equal 1, polygraphic otherwise. In a special 
case of particular interest for encryption by machines, all encryption steps of 
M show equal maximal encryption width n and equal maximal crypt width 
to . Then M is necessarily finite. If even 

Xi ■■ v n — w m 

holds for all \i £ M , which means that no encryption step is straddling, 
[Xii , Xia > X *3 j • • •] is called a block encryption; a word from V n is an 
encryption block. In a suitable vocabulary of character n-tuples, a block 
encryption can be interpreted theoretically as a monographic encryption. 

Encryption systems with '■ V n ->- W m for n = 2, 3, 4 establish 

bigram, trigram, tetragram encryptions, which for to = 1, 2, 3 are called 
unipartite, bipartite, tripartite (French bifide, trifide). Frequently V = W 
and to = n are chosen, to give us a block encryption in the narrow sense. 
2.3.3 Text streams. A stream (z\, Z 2 , Z 3 , ...) is an infinite sequence 
of blocks of characters. There is a one-to-one correspondence between the 
stream (z±, Z 2 , 23 ,...) and an infinite sequence ((zi), ( 2 i*z 2 ), {zi*Z 2 * 23 ),...) 
of words, the segments (zi*Z 2 * ■ ■■* Zi) of the stream. 

A plaintext stream is an infinite sequence of blocks (pi,P 2 ,P 3 , ■ ■ ■), where 
Pj £ V n \ correspondingly, an infinite sequence of blocks (ci, c 2 , C 3 ,...), where 
Cj £ W m , is a cryptotext stream. A stream encryption is a block encryption 
of segments of a fictitious plaintext stream to segments of a likewise fictitious 
cryptotext stream. 
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An encryption X = [xi :1 , Xh > X *3 > • • ■ ], finitely generated by M, is called 
periodic (repeated key) or nonperiodic (‘aperiodic’, running key), depending 
on whether the infinite sequence (Xn > X *2 > X» 3 1 ■ ■ ■) finally is periodic or 
not. 

A monoalphabetic encryption is trivially periodic. A nonperiodic (running 
key) encryption therefore is necessarily polyalphabetic. This will be given 
more attention in Sect. 8.7. 

Every periodic block encryption of period r can be interpreted theoretically 
as a monoalphabetic encryption, with 

Xo : V n ' r W m ' r 

as the sole encryption step. For running key encryptions this is not the case. 
They belong fundamentally to a more powerful category of methods. There 
is a one-to-one correspondence of the infinite sequence (xh ■. X *2 i X *3 > ■ • ■) > 
Xi G M , and a real number represented in a number system to the basis 6 by 
the fraction 0 . i\ *2 is ... . For fixed M , a subset of the denumerable set of ra¬ 
tional numbers corresponds to the set of periodic block encryptions; the set 
of nonperiodic (running key) encryptions thus corresponds to the non-denu- 
merable set of irrational numbers between 0 and 1. 

An up-to-date example of a monoalphabetic, polygraphic block encryption 
is the DES cryptosystem, a block encryption (and decryption) method prop¬ 
agated by the National Bureau of Standards of the USA since 1977; the 
encryption step (in the ECB mode) is a one-to-one endomorphic encryption, 
chosen among 2 56 possibilities (key length 56, Sect. 9.6.1.1), a V 8 -4 —>- V 8 
permutation with a vocabulary V = Z 8 of 256 different 8-bit words. An 
encryption step of this size cannot be documented by enumeration but is 
defined algorithmically. Algorithmic definitions, however, are unsympathetic 
to the use of homophones and encourage the restriction to block encryption. 
There is an example of a polyalphabetic, polygraphic encryption which is 
not a block encryption: plaintext encrypted word by word using a number of 
code books in some periodically or nonperiodically changing order. This is 
not very practical in computerized cryptography. Polyalphabetic polygraphic 
block encryption is the domain of present-day computers. 

2.4 Polyphony 

Use of homophones and nulls has been standard in cryptography since 1400. 
Around 1500, encipherings with cipher elements of different length began to 
be used, and the importance of the left-uniqueness condition for straddling 
encryption steps (Sect. 3.4) was recognized at the latest around 1580 by the 
papal secretary of ciphers Giovanni Battista Argenti and his nephew Matteo 
Argenti. The modern Fano condition “no cipher element is head of another 
cipher element” (Robert M. Fano) is a sufficient condition the Argentis were 
apparently familiar with. For unstraddling encryption steps, the hiatus and 
thus the right decomposition can be found by counting. 



2-4 Polyphony 37 


2.4.1 Polyphones. Polyphones occur if the relation X is not injective. 
They are unblushingly used in English when, e.g., both the phonemes \a\ as 
in \brak\ and \e\ as in \frek\ are printed ‘ea’. Cryptographically, polyphonic 
enciphering steps, in which several plaintext words are assigned to one and 
the same cryptotext word, make decryption a guesswork and are rare. 

The ‘SA Cipher’, a code used by the British Admiralty in 1918 (Sect. 4.4.3, 
Fig. 38), and the Duchesse de Berry’s cipher which used as a substitution al¬ 
phabet LEGOUVERNEMENTPROVISOIRE (Sect. 3.2.5), are among the 
very few examples of genuine polyphony. In practice, there is sufficient se¬ 
mantic information to avoid ambiguity if, say, ‘Diesel oil’, ‘Corporal’, and 
‘Paris’, or ‘runway’, ‘General’, and ‘ground fog’ are polyphones. The idea 
seems to occur to amateurs more than anyone. A loving couple in England 
provided Babbage with a tough nut to crack in 1853, with a polyphonic cipher 
using the digits 0 ... 9 , in which, e.g., 

1 stood for t and u, 2 for m and o, 4 for e and r, 8 for h and i. 

The message began with 

1821 82734 29 30 84541 

which (allowing for two enciphering errors) meant “thou image of my heart”. 
It seems that the lovers derived special pleasure from the unnecessary com¬ 
plication. 

However, polyphonic ciphers were used in the ancient civilizations between 
the Nile and the Euphrates. As the letters of the alphabet also served as 
number symbols, it was a popular pastime to add up the values of the sym¬ 
bols representing a secret word ( gematria ). In this way, the isopsephon 666 
mentioned in the Apocalypse (Rev. 13.18) has been taken to represent the 
Emperor Nero (Fig. 20). There are said to be people who refuse to accept a 
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Seen from the point of view of common European languages, Arabic script 
(without vowels) is also polyphonic. The puzzle of what “Pthwndxrclzp” in 
James Joyce’s Finnegans Wake means is something that will keep historians 
of literature (and undertakers) busy for many years. 

From a technical standpoint, Bazeries’ cylinder (Fig. 19), dealt with in Sect. 
7.5.3, operates with both homophones and polyphones. However, injectivity 
is effectively maintained because the ‘illegal’ polyphonic texts are almost cer¬ 
tainly meaningless (Fig. 21). Polyphony may also cause difficulties in certain 
ways of cryptanalysis. Polyphone plaintexts belonging to the same cryptotext 
are called variants there. 
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GXYYSXDBRZ ZBGBBGS ICU 
HZQXRVPIYDLDLCCNOUHS 
IARVOTREBISGODDFNAVT 
JESUI S I NDECH I F FR.ABL E 
KITTQRJHEUOJRGGTBCBL 
LOV S PQUUTPUKE J HHCFDA 
MUXRNP GR S RRNMKKUDGF C 
NYZQMNVXLOAPTLMBFJGF 
OBAPLMBLFTNQDMOCGKIB 

Fig. 21. Several polyphonic texts for one setting of Bazeries’ cylinder 


2.4.2 Word spacing. The suppression of word spacing and of punctuation, 
one of the basic rules of classical professional cryptography (i.e., of “formal 
ciphers”), is strictly speaking polyphony. In some cases genuine ambiguity 
can occur if the position of the boundary between words is uncertain; for 
example, “dark ermine” and “darker mine”. The sentences 

“Five fingers have I on each hand ten in all” 

“Ten digits have I on each hand five and twenty on hands and feet together” 

also permit of various interpretations, depending on the punctuation; only 
one interpretation makes logical sense. In the sentence 

“Forget not to kiss thy wife” 

the sense can only be derived from the context. Modern English can be just 
as confusing: 

“British Rail hopes to have trains running normally late this afternoon” 
would do little to raise the hopes of frustrated travellers, while 

“The Prime Minister called for an end to violence and internment as soon 
as possible” 

is a choice morsel for the opposition. Injectivity is often violated when there 
are insufficient contextual clues: 

“the captive flies.” 

The phrase 

“two thousand year old horses” 

even allows for three different interpretations: two-thousand-year-old horses, 
two thousand-year-old horses, two-thousand year-old horses. 

Another example where the suppression of hyphens may cause trouble is: 

“a man eating fish — a man-eating fish.” 

There is hardly any practical requirement for polyphonic texts that are en¬ 
crypted by the empty word—except, perhaps, to eliminate waffle in a text. 



2.5 Character Sets 39 


2.5 Character Sets 

We use N to represent W |, the finite size of the plaintext or cryptotext 
character set W. Since the case N = 1 conveys no information, it is a 
requirement that N > 2. An alphabet is a linearly ordered character set. 

2.5.1 Plaintext character sets. Which ones are in use depends on the 
language and the epoch. In the case of Hawaiian, the character set 
Z \2 = {a, u, i, o, e, w, h, k, 1, m, n, p} is sufficient. 

In the Middle Ages, following the Latin tradition, 20 letters seem to have 
been enough for most writers, including Della Porta in 1563 (Fig. 23): 

Z 20 = {a,h, ..., i, 1, ..., t, v, z} . 

Often /k/, /x/, and /y/ are included, or just /x/ and /y/ (Della Porta at 
other times), /w/ was long written as /vv/, so making room for /&/, as on 
Leone Battista Alberti’s disk in 1466 (Fig. 26). By 1600 an alphabet of 24 
characters had become a European standard, 

Z 2 .i = z 23 u {w} , where Z 23 = Z 20 U {k, x, y} , 

with /v/ still used for /u/. Trithemius (1508) used /w/, see Fig. 64. In 
a French translation of 1561 (Gabriel de Collange), the ‘German’ /w/ was 
replaced by /&/, according to Eyraud. 

In the 18th century /u/ was included: 
z, 2 U 5 W = Z 23 U {u, w} . 

But if /j/ is required (in French, for example), then /w/ must be sacrificed 
again (Bazeries, 1891): 

■^25 = -^23 U {j, u} . 

/j/, /k/, /w/, /x/, /y/ are very unusual in Italian, as are /k/, /w/ in French. 
Irish can do without /j/, /k/, /q/, /v/, /w/, /x/, /y/, /z/. 

From about 1900, our present alphabet, 

Z 26 = Z 23 U {j, u, w}, 

was in general use. But there are exceptions even in Middle Europe. In the 
Second World War, the exiled Czech government used the extended character 
set consisting of 31 letters and 13 number symbols and other characters 
Z 44 = {a, b, c, c, d, e, e, f, ..., r, f, s, s, t, ..., z, z, -, >, *, 0, 1, ..., 9} . 

The Italian cifrario tascabile from the First World War used a character set 

2^36 = ^26 U {0, 1, . . . , 9} . 

The (present-day) Cyrillic alphabet has 32 letters (disregarding E): 

Z 32 = { A, B, B, T, H, E, >K, 3, M, H, K, JI, M, H, O, n, 

P, C, T, y, <F, X, H, M, HI, HI, T>, BI, B, 9, IO, H} . 

Otherwise many different special conventions have been used to represent 
digits and, if necessary, punctuation marks and diacritic marks. 
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Spaces between words are suppressed in professional cryptography. Even in 
German, where the words are longer than in most languages, word spacings 
are commoner than /e/. 


2.5.2 Technical character sets. The cryptotext character sets in use are 
usually determined by technical restraints; besides the alphabets mentioned 
above, there are other technical character sets, 


J 256 


= Z\ 


Z32 

Z 12 = {0,1,2, ..., 9, v, C} 
= {0,1,2, ...,9} 


■Z10 

^6 

Z 4 


= Zo (bytes; IBM circa 1964) 

(Francis Bacon 1605, 1623, Baudot 1874) 
(duodenary; Pascal 1654, Leibniz 1676) 
(denary) 

(senary; these letters correspond to the Morse 

characters ,-,-, •••-, -) 

(quaternary; Alberti 1466, Caramuel 1670, 
Weigel 1673. {A, C, G, T} : genetic code 7 ) 

(ternary; Trithemius 1518, Wilkins 1641,Fride- 
rici 1685) 

(binary; Bacon 1605, 1623, Leibniz 1679) 
and also invented symbols, popular among amateurs (Sect. 3.1.1). 

Binary 8 , ternary, quinary, and denary ciphers have W = Z 2 , W = Z 3 , 
W = Z 5 , W = Z 10 respectively. 

2.5.2.1 The nine digits 1, 2, 3, 4, 5, 6, 7, 8, 9 have been used by the German 
Kriegsmarine —iterated if necessary—to encode map coordinates (Fig. 22). 


= {A, D, F, G, V, X} 
= {1, 2, 3, 4} 

= {1, 2, 3} 

= {0,1} = {0,L} 
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Fig. 22. 

Digit cipher in a map grid 


2.5.2.2 It is fashionable to write the ciphertext or codetext in groups of five 
characters. This has its origins in the tariff regulations of the International 
Telegraph Union, which since 1875 has limited the length of a word to ten 
symbols (and imposed serious restrictions on the use of codes). In 1904 codes 
were allowed to have up to ten letters; later, telegram charges were generally 
based on groups of five (Whitelaw’s Telegraph Cipher: 20 000 pronounceable 
five-letter code groups, giving 400 million ten-letter code groups). 

2.5.3 Hints. In the relation X : V* ->- W*, the cryptanalyst knows 

neither V nor X . However, from X(U*) , the set of actually occurring 
crypt words, he can occasionally deduce the method in use (e.g., Polybios 
square, Sect. 3.3.1). 

7 AACACTGTATCTATTATTTG: initial sequence of the genom of the African elephant. 

8 Binary in the sense of biliteral, a character set of two elements: Bacon 1605, 1623. 
With explicit values a = 1, b = 2, c = 4, d = 8, etc. (abfg = 99): Napier 1617. 
Positional system with binary digits: Harriot before 1621, Caramuel 1670, Leibniz 1679. 
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2.5.4 The endomorphic case. If, as is often the case, the plaintext and 
the cryptotext use the same character set (V = W , X endomorphic), then it 
is nowadays conventional in theoretical treatments to write the plaintext and 
its characters in lower-case letters, the ciphertext or codetext and its charac¬ 
ters in small capitals. That leaves upper-case italic letters for so-called key 
characters. However, Alberti’s disk (Fig. 26) used the opposite convention. 
Even in 1925, Lange-Soudart’s book showed a Saint-Cyr slide (Fig. 27) with 
the plaintext in uppercase and the cryptotext in lowercase. 

2.6 Keys 

A key (French clef, cle, German Schliissel) serves to select a step from a 
cryptosystem M. Keys allow one to change the encryption in accordance 
with previously arranged rules; for example, every day, or after every message, 
or after every character. Frequently, keys are organized such that they allow 
one to produce the individual encryption steps by following simple rules. 
The combinatorial complexity of an encryption method is determined by the 
number of keys available under this method. The key technique is very varied, 
and will be dealt with under the individual classes of methods. Usually, the 
mapping of the key symbols onto the set of encryption steps is injective, 
but there exist exceptions, such as the PORTA encryption (Figs. 65 and 82) 
where always two letters represent the same encryption step. 

Let K denote the key character set or key vocabulary. K* is called the key 
space. Let kj € K be the j-th key used in sequence; then k 3 determines an 
index Sj such that the encryption step is . € M = {yo, Xi> Xi ? ■ ■ ■ > Xo-i} ■ 

2.6.1 Keys are to be changed frequently. Repeated use of the same key 
is equivalent to using an encryption system with only one element. Profes¬ 
sional cryptography makes hardly any use of such fixed encryptions—except 
in the case of codes. The use in diplomatic circles of the same code book 
for years on end is a typical case—though one can scarcely regard the diplo¬ 
mats of many countries as professionals in the matter of ciphers: in cities 
like Vienna, there has been a lively underground market for diplomatic codes 
at various times. The Soviet Union had a particular reputation for stealing 
code books. 1936, a Russian agent in Haarlem (Netherlands) used a stolen 
code book to decipher telegrams between the Japanese military attache in 
Berlin and his government in Tokyo. At the beginning of the First World 
War, probably every European power possessed copies of one or more of the 
American diplomatic code books. In August 1941 Loris Gherardi secretly 
procured for the Servizio Informazione Militare a copy of the BLACK code 
used by US military attaches. There is a story, told by Allen W. Dulles, 
of the American minister in Rumania—an ousted politician, like so many 
diplomats—who was unwilling to report the loss of his code book. He would 
wait until several messages had accumulated, then take the train to Vienna 
to decipher them at the embassy there. The moral is that even code books 
must be changed regularly, if necessary monthly. 
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Keys used for choosing a method must be a matter of mutual agreement. If 
one party is cut off, then the supply of new keys is at risk, difficult, or even im¬ 
possible. In such cases use is often made of innocent sets of letters or figures, 
such as popular novels, statistical reports, telephone books, etc.—almost 
everything has been used at some time, from Jaroslav Hasek’s Good Soldier 
Svejk to the 1935 Statistical Almanac of the German Reich. Even this 
system is vulnerable—if the source of keys is revealed, then a whole stream 
of messages becomes transparent at one blow. 

2.6.2 Block. Following the notation of Sect. 2.3, let X be a finitely gener¬ 
ated block cipher, X = [ y Sl , % S2 , x« 3 > • • • ], where \ Sj ■ Pj cj . 

(PhP 2 iP 3 i ■ ■ •) , where Pj £ V n , designates the plaintext sequence; 

(ci, C2, C3,.. .) , where Cj £ W m , designates the cryptotext sequence, 

(fci, &2, &3, ■ • ■) , where kj € K , designates the keytext sequence. 

Let kj be a key which determines , Sj an operator standing for Xsj(-) ■ 
Then we have three notations for the cryptographic equation 

c j = Xsj (Pj) or Cj = X(pj, kj) or Cj = Pj Sj . 

Note that Xi indicates the i-tli encryption step in a numbered list of steps, 
while Xsj is the step used to carry out the j -th step in the encryption. 

2.6.2.1 If Xs ■ is an injective definal function , as is usually the case, then there 
exists an inverse function xj 1 , for which (with Y = [ \7i , X7-7 > X^ 1 > • • • ]) 

Pj=X7 J 1 ( c j) or Pj= Y ( c ji k j ) or Pj= c jSj 1 ■ 

Thus Xj/ (Xsj ( Pj)) = Pj and also Xsj (x7ix Sj ( Pj ))) = Xs } ( Pj) ■ 

2.6.2.2 If x« is also surjective and unambiguous from left to right (func¬ 
tional), then for all Cj £ W m even 

Xs j {x7 J 1 ( c j)) = c l ■ 

In the case of alternating traffic between two parties A and B, one of them 
can use a sequence of x. Sj as both encryption and decryption steps, the other 
a sequence of xj 1 as both decryption and encryption steps. 

2.6.3 Isomorphism. Let X again be a finitely generated block cipher. 
Two plaintexts (p'i,P 2 ,P 3 , • • •) > (hi ■ p'i ; P'i■ ■ ■ ■) such that p' = p" S, where 
S' is a fixed substitution, are called isomorphic. Assume the same for two 
cryptotexts (c), d 2 , c ' 3 ,...), (c", c'f, c'j ,...) such that c( = c" T, where Tis a 
fixed substitution. Then, for the encryption steps E(, E", the following holds: 

If cl = p'jEl and c" = p"£" , then S E[ = E" T . 

If the encryptions E( and E" possess an inverse, then isomorphic plaintexts 
encrypt to isomorphic ciphertexts, and vice versa. Then 

T = (EC)- 1 S E\ and S - E" T (E'Cy 1 ■ 

If the fixed substitutions S and T possess inverses, then the keys can be 
transformed one into another: 
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2.6.4 Shannon. For cryptosystems V* - ^W* , Claude Shannon intro¬ 

duced in 1949 an important concept: such a cryptosystem is called pure, if 
(*) for all i,j,l : SiSjSi = S x for some x. 

Here, S, : G V*—+W*, % G V*+— W*, and ,$) G V* — +-W*; 

SiSjSi means: first enciphering with key fc,, then deciphering with key kj, 
then enciphering with key ki. 

2.6.4.1 Now the following theorem holds: 

• In a pure cryptosystem, 

the elements {SjSi} of V* —*- V* form a semigroup. 

Proof: (1) The associative law holds. 

(2) The composition of two elements is an element: 

(KnSi)0jSi) = 1§Z(Si1SjSi) = S^,S X for some x. ex 

If V* - )~W* is, as usual,injective (left-univalent), which means there is an 

Si G V* ^— W* such that Si Si = /, the identity. If even, as is the case 

with many ciphers, V* - y-W* is functional (right-univalent), i.e., Si Si = I, 

then each S'/ S t has a left and right inverse S; Sj , and the elements {Si Si} of 
V* - >~V* form a group, with Si Si being the identity. 

Now assume one-to-one mappings. The residue class A 4(m) of a message m 
consists of all messages produced by enciphering to by some S) and decipher¬ 
ing this by some Sj' 1 , which means A4 (to) = {SjSi m}. For a pure encryp¬ 
tion, this process is idempotent: for any y G A4(to), i.e. y = Sy 1 SV m for 
some Sp 1 , Si> , we have A 4(y) = {(Sj~ 1 Si)(Sp 1 Si> m}= {Sj~ 1 (SiSjr 1 Si>) to} 
= {SjS x m}C A4(to). In a pure cryptosystem, the cryptanalyst will be un¬ 
able without further information to distinguish the messages of any given 
message residue class. Thus, to protect against brute force attacks, residue 
classes of pure cryptosystems should be as large as possible. 

2.6.4.2 If the cryptosystem is endomorphic, i.e., V = W, as is the case with 
most ciphers, then the following stronger results hold: 

• In an endomorphic pure cryptosystem containing the identity I, 

the elements {S}} of V* ->- V* form a subsemigroup of { Sj' 1 S,}: 

the cryptosystem is called closed under composition (Salomaa). 

• If an endomorphic pure encryption is injective and functional, then 
the elements {Si} form a group, the key group of the cryptosystem. 

Proof: (1) Take Sj = I in (*). (2) Take Sj = I in {S^S}}. ex 

In an injective and functional pure cryptosystem, the encryption step is 
uniquely determined by a pair of plaintext and corresponding cryptotext 
characters. We may speak of a Shannon cryptosystem. Many customary 
cryptosystems have this property. 

2.6.4.3 An endomorphic cryptosystem where the encryption step and the 
decryption step coincide, and thus the crypto procedure is symmetrically 
determined, is called key-symmetric. In this case, every encryption step is 
self-reciprocal, is its own inverse (Kahn: ‘reciprocal within itself’). 
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Among the encryption steps we find prominently two large classes: substi¬ 
tution and transposition. They are both special cases of the most general 

encryption step G*™)->- W( m ' > . We shall start by looking at several kinds 

of substitution and turn our attention to transposition in Chapter 6. 


A simple substitution (German Tauschver- 
fahren or Ersatzverfahren ) is a substitution 
with monographic encryption steps Xi G Af, 

Xi : —>■ W (mi ) . 

In the monoalphabetic case, an arbitrary \s 
is selected from M and encryption is done 
with the sequence X = [x s , Xs , Xs , ■■■} ■ 
It is in this case sufficient to take a singleton 
for M. 

We start with the case m,; = 1 for all i . 


Fig. 23. Cipher disk by Giambattista Della Porta, 1563 



3.1 Case G (1) —*- W (Unipartite Simple Substitutions) 

The case G*G - —>- W deals with a unipartite simple substitution, for short 
just simple substitution (French substitution simple ordinaire). 

3.1.1 G-v W , heterogenous encryption without homophones 

and nulls. This case is primeval. For W an alphabet of strangely formed, 
unusual graphemes is frequently used: Examples are known from Thailand, 
Persia, Coptic Ethiopia and elsewhere. Such secret marks are used by Gi¬ 
ambattista Della Porta, 1535-1615 (Giovan Battista Porta) in his cipher disk 
(Fig. 23, see also Fig. 30). Charlemagne is said to have used such characters 
(Fig. 24) as well as the savant and mystic Hildegard von Bingen (1098-1179). 


3.1 Case - —W (Unipartite Simple Substitutions) ^5 


a b c d e f g b i k l m n o p q r ft u x j 2 tl 

na'jt Iff* lpQX.S»X9G«i>* V"? J£ P<>9X Z %7TT!i; 

Fig. 24. Secret characters of Charlemagne 

The Freemasons’ cipher is to be mentioned here. It goes back to the ancient 
‘pigpen’ cipher, and in its modern form reads 

abcdefgh ijklmno pqrstuvwxy z 

juLDD[innrjLJLi]0E"nnr^><^ ><^ 


It can be memorized by the schemes 
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As late as 1728, when it was broken by Britain’s Deciphering Branch, the 
Czar Peter the Great used (besides nomenclators) a heterogenous substitu¬ 
tion V >-W with a bizarre cipher alphabet. 

Edgar Allan Poe, famous for his literary works, used a rather trivial alphabet 
of common printer’s types in his story “The Gold-Bug” (Sect. 15.10.1). 

In this class is also the bookseller’s cipher for encrypting prices and dates, 

a one-to-one mapping Z io- ^^26 , generated by a password (‘key-phrase’ 

cipher). An example is 

1234567890 

MILCHPROBE, 

an encryption step with the password milchprobe (‘milk sample’) used in 
Germany over many years for specifying the packing date of butter. Likewise, 
in Navy ENIGMA enciphering, sometimes figures were represented by letters 

1234567890 

qwertzuiop 

3.1.2 pW-s- W , heterogeneous encryption with homophones 

and nulls. Homophones are found already in Muslim sources, e.g., al- 
Qalqashandi 1412, and in a cipher used by the Duchy of Mantua in 1401 
for an exchange of letters with Simeone de Crema. The vowels—typically 
the more frequent characters—were given homophones, a first sign of con¬ 
siderations to level the character frequency. Furthermore, W was enlarged 
by digits. The introduction of homophones practically enforces the introduc¬ 
tion of nulls; otherwise homophones can be recognized easily by the constant 
pattern of letters surrounding them in frequent words. 

A method with homophones used even today is the book cipher: In some in¬ 
conspicuous looking book that sender and recipient have at hand in identical 
copies the plaintext letters are selected one after another; the corresponding 
places: (page x, line y, position z) form the cipher group ( x-y-z ). 
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Choosing as the cipher book the present volume, the word mammal can be 
encrypted as (3-3-6) (7-15-9) (6-6-5) (5-4-6) (4-3-10) (3-5-23). 

3.2 Special Case V -4 — >- V (Permutations) 

In the case of a one-to-one mapping V -4—>- W among the examples in 
Sect. 3.1.1, W is called a mixed (cryptotext) alphabet of N characters 
(French alphabet desordonne, alphabet incoherent , German umgeordnetes Ge- 
heimtextalphabet), that matches a standard (plaintext) alphabet (French al¬ 
phabet ordonne , German Standard-Klartextalphabet) V of N characters. 

To define a substitution, it suffices to list in some way the matching pairs of 
plaintext characters and cryptotext characters, e.g., for V = Z 2 6, W = Z 2 6 
(for the use of lower-case letters and small capitals see Sect. 2.5.4): 

udcbmavgkstnwze i h f q 1 j r o p x y 
HEWA S RIGTOUDCLNMFYVBPKJQZX 

For encryption, it is more convenient, of course, to have the plaintext 
characters ordered into a standard plaintext alphabet; this gives a mixed 
cryptotext alphabet (often simply called ‘mixed alphabet’): 

ab c cle f gh i j k lmnopqr s tuvwxyz 
RAWENYGFMPTB S DJQVKOUHI CZXL 

In mathematics, this ‘substitution notation’ is customary. For decryption, 
however, it is better to have the cryptotext characters ordered into a standard 
cryptotext alphabet; this gives a mixed plaintext alphabet: 

blwndhguvorzi e s jpamktqcyfx 
ABCDEFGHIJKLMNO PQRSTUVWXYZ 

In case V -4—>- W , \V\ = \W\ (and W can be renamed such that V = W), the 
encryption is endomorphic, the one-to-one mapping V -4—>- V is a permu¬ 
tation of V. Such a permutation can be accomplished in electrical imple¬ 
mentations by interchanging N wires (German Umstecken ) in a wire bundle. 
For permutations in particular, mathematics uses apart from the substitution 
notation the ‘cycle notation’ 

(arktuhfyxzlb) (c w) (d e n) (g) (i m s o j p q v) 
in which the distinction between lower-case letters and small capitals has 
to be abandoned. For encryption, one goes in the cycle where the plain¬ 
text character is found to the cyclically next character; for decryption, to 
the cyclically preceding character. Cycles of length one (1-cycles) are often 
suppressed—we shall not follow this habit. 

3.2.1 Self-reciprocal permutations (reflections). The most ancient 
sources (apart from Egypt—we shall come back to this under ‘code’) show a 
self-reciprocal (‘involutory’) permutation of V : in India, in the Kama-sutra 
of the writer Vatsydyana, secret writing is mentioned as one of the sixty-four 
arts; Muladeviya denotes an encrypting and decrypting procedure, which is 
a reflection (‘involution’): 
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v 2 a kh gh c t n n r 1 y 

v v ' 1 k g ntpnmsss 

(the remaining characters are left invariant, so the permutation is not proper¬ 
ly self-reciprocal, is not a genuine reflection). Plaintext and cryptotext alpha¬ 
bets of a self-reciprocal permutation are said to be reciprocal to each other. 

In the Hebrew Holy Scripture boustrophedonic substitution, called Athbash, 
was used—although not for a cryptographic purpose—which would read in 
the Latin alphabet V = Z 20 

V -4—>- V : T ! l! t f ! n n • Such a substitution uses the reversed 

^ zvisrqpo nin 

(‘inverse’) alphabet. In the case of the reflection 

V -< —s- V : | azvtsrqponm Charles Eyraud speaks of a comple¬ 
mentary alphabet (French alphabet complementaire) , see Sect. 5.6. This per¬ 
mutation, however, is again not properly self-reciprocal (is not a genuine 
reflection): /a/ and /m/ are left invariant. 

Obvious is also a reflection with a shifted alphabet like the Hebrew Albam, 
used in 1589 by the Argentis with V = Z 2 o 

v , 2 ; v . t abcdefghi 1 

v v ’ -1 mn opqrstvz 5 

or the one used by Della Porta in 1563 (see Fig. 65) with V = Z 22 

y 2 y | abcdefghi1m 

v ^ v ‘ -L nopqrst vxyz 

The most general boustrophedonic case, showing the use of a password, is 
presented by the following example: (V = Z 2 q) 

v 2 y . t ange rbcdfhi j k 

v v T zyxwvutsqpoml 

Reflections have, apart from the advantage of a compact notation, the prop¬ 
erty which some people have held to be of great importance that encryption 
and decryption steps coincide. 

In the cycle notation of permutations, the last five examples would read (with 
cycle outsets ordered alphabetically): 

(a,z) (b,v) (c,t) (d,s) (e,r) (f,q) (g,p) (h,o) (i,n) (l,m) 

(a) (b,z) (c,v) (d,t) (e,s) (f,r) (g,q) (h,p) (i,o) (l,n) (m) 

(a,m) (b,n) (c,o) (d,p) (e,q) (f,r) (g,s) (h,t) (i,v) (l,z) 

(a,n) (b,o) (c,p) (d,q) (e,r) (f,s) (g,t) (h,v) (i,x) (l,y) (m,z) 

(a,z) (b,u) (c,t) (d,s) (e,w) (f,q) (g,x) (h,p) (i,o) (j,m) (k,l) (n,y) (r,v) 

Properly self-reciprocal (‘non-crashing’) is a self-reciprocal permutation with¬ 
out 1-cycles, which means solely with 2-cycles (‘swaps’). It is the target of 
cryptanalytic attacks (Sect. 14.1) that cease to work if some of the cycles are 
1-cycles (fixpoints, ‘females’). 

For a binary alphabet V = Z 2 , the sole nontrivial permutation is a reflection: 
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V ^ V : I 


O 

L 


3.2.2 Cross-plugging. In electrical implementations, reflections are ac¬ 
complished by swapping pairs of wires, simply by using double-ended connec¬ 
tors (Fig. 25). Such reflections were used in the ENIGMA plugboard (German 
Steckerbrett). 
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abcdefghijklm 
Fig. 25. Self-reciprocal permutation by cross-plugging with a pair of double-ended con¬ 
nectors which interrupt the direct contacts. 


The number d(k , N) of reflections depends on N and the number k of cinch 
plugs used: d(k, N ) = 2k<N W 2k)lk , = Q ■ = (j*) • (2 k - 1)!! , where 

(2k — 1)!! = (2k — 1) • (2k — 3) • ... -5-3-1= . 

Properly self-reciprocal permutations (‘genuine’ reflections) require N = 2v 
to be even, they consist of v 2-cycles. The number d(^-,N) of all genuine 
reflections is then (with a relative error < ICG 3 for N > 6 ) 

d(%,N) = (N-l)\\ = (N —1) -(N — 3) ■ ... -5-3-l=^ « tfit+i) ' 
The approximate value is a rather good upper limit for (N — 1)!! . 


For fixed N , however, d(k , N) is maximal for k = v — |_ \J(v + 1)/2J : 


d( 5,26) ? 

a 5.02 • 

10 9 , 

d( 6,26) ? 

» 1.00 • 

10 11 

,d( 7,26) ? 

a 1.31 • 10 12 

d( 8,26) ? 

a 1.08 • 

10 13 

, d(9,26) ? 

a 5.38 • 

10 13 

, d(10, 26) ? 

a 1.51 • 10 14 

d(ll, 26) ? 

a 2.06 ■ 

10 14 

, d( 12,26) ? 

a 1.03 • 

10 14 

, d(13, 26) p 

a 7.91 • 10 12 


and d( 3,10) = 3150 , d( 4,10) = 4725 , d( 5,10) = 945 . Note that 
2 log d(10,26) «47.1 [bit], 2 log d(ll, 26) «47.5 [bit], 2 log d(12,26) «46.5 [bit] 
and for all reflections: 2 log d(k, 26) « 2 log 5.33 • 10 14 « 48.9 [bit] . 

The ENIGMA I of the Reichswehr of 1930 and the Wehrmacht ENIGMA 
originally used six double-ended two-line connectors; later, beginning Octo¬ 
ber 1, 1936, five to eight, from January 1, 1939, seven to ten, and from August 
19, 1939, prevailingly ten (sometimes, e.g., key net BROWN of the Luftwaffe, 
only six or seven) double-ended two-line connectors for cross-plugging. 

3.2.3 Monocyclic permutations. A compact notation describes also the 
monocyclic permutation (consisting of one cycle), the order of which is N: 
for example, with N = 20 the cycle of the standard alphabet Z 20 

N 

V -4— 7 - V : (a b c d e f g h i 1 m n o p q r s t v x) 
or its third power 

N 

V -<—>- V : (a d g 1 orvbehmpsxcfinqt); 
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in substitution notation 

abcdefghilmnopqrstvx 
BCDEFGH I LMNOPQRSTVXA , 

abcdefghi lmnopqrstvx 
DEFGH I LMNO P QRSTVXABC 

The last encryption step was used by Julius Caesar (according to Suetonius), 
counting upwards three letters in the alphabet. His successor Augustus, infe¬ 
rior in several respects to Caesar, used the first encryption step (possibly he 
could not safely count up to three); Suetonius said he also replaced x by AA. 
Every power of the cycle of the standard alphabet yields (by a ‘CAESAR 
shift’) a CAESAR alphabet. We shall come back to this CAESAR addition 
in Chap, 5. But note: while the two encryption steps above are of the order 
twenty, the second power has only the order ten, and the tenth power has 
only the order two: it is a reflection as studied above. The (AT— l)-th power 
is the inverse of the first power and yields the decryption step. 

A monoalphabetic substitution with a CAESAR encryption step was intro¬ 
duced in 1915 in the Russian army after it turned out to be impossible to 
expect the staffs to use anything more complicated. For the Prussian Lud¬ 
wig Deubner (1877-1946) and for the Austro-Hungarian Hermann Pokorny 
(1882-1956), heads of the cryptanalytic services of their respective countries, 
it was a pleasantly simple matter to decrypt these messages. 

By its very nature, a track on a disk, the rim of a washer, or a strip closed to 
form a ring can be used to represent a full cycle. Such gadgets have found wide 
use and were employed in a particular way (Sect. 7.5.3) by Thomas Jefferson 
and Etienne Bazeries. The g-th power of the monocyclic permutation is 
obtained by counting within the cycle in steps of q characters. 

3.2.4 Mixed alphabets. For non-selfreciprocal and non-cyclic V -<—>- V , 
in the most general case of a mixed alphabet (French alphabet desordonne, 
German permutiertes Alphabet), substitution notation is normally used: 

T/ abcdefghi jklmnopqrstuvwxyz 

V ^ y V : SECURITYABDFGHJKLMNOPQVWXZ 

The short cycle notation is useful here, too. It shows the decomposition 
V -4 —yV : (asnhyxwvqlfi) (b e r m g t o j) (c) (d u p k) (z) , 
into one 12-cycle, one 8-cycle, one 4-cycle, and two 1-cycles (cycle partition 
12+8+4+1+1). 

Serge Kanschine and Emil Jellinek-Mercedes received Dezember 27,1911 an 
Austrian patent Nr. 51 351 for a cipher typewriter, where the permutation 
was simply carried into effect by caps mounted over the typewriter keys. Not 
too practical: For deciphering, a second such typewriter was needed. 

3.2.4.1 More mixed alphabets are obtained by a cyclic shift of one of the two 
lines in the substitution notation (shifted mixed alphabets, French alphabet 
desordonne parallele, German verschobenes permutiertes Alphabet): 
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abcdefghi j klmnopqr s tuvwxyz 
ECURITYABDFGHJKLMNOPQVWXZS 
abcde fghi j k lmnopqr s t u vwxyz 
CUR I TYABDFGH J KLMNOPQVWXZSE 


in cycle notation 


etc., 


(a e i b c u q m h) (d r n j) (f t p 1 g y z s o k) (v) (w) (x) , 


(acrolhbuvwxzetqnkg) (f y s p m j) (d i) etc. 


3. 2 . 4. 2 Iterated substitution, also called ‘raising to a higher power’ produces 
the powers of a mixed alphabet, e.g., from the substitution SECURITY... 
above, the second power gives 

(any wqf) (b r g o) (c) (d p) (e m t j) (h x v 1 i s) (k u) (z) , 
with all cycles of even length being split in halves; in substitution notation 
j f abcde fghijklmnopqrstuvwxyz 

V ^ XV : NRCPMAOXSEUITYBDFGHJKLQVWZ 

Shifting on the one hand, raising to a power on the other do not give the 
same thing in general; they are two utterly different methods for producing 
a family of up to N (sometimes less) accompanying alphabets (Chapter 7). 


3.2.5 Construction of alphabets derived from passwords. The exam¬ 
ples above show already the construction of an (endomorphic) simple sub¬ 
stitution V -4 — >~V with the help of a password (French mot-clef , German 
Kennwort, Losung), possibly a mnemonic key word or phrase. A classical 
method uses a word from V , writes its characters without repetitions and 
fills in alphabetic order with the characters not used. Examples can be found 
in a little booklet of 1555 by Giovan Battista Bellaso: NOVI ET SINGOLARI 
MODI DI CIFRARE ... . The method, propagated by G.B. Argenti, was still a 
cryptologic standard even in the 20th century. 1 

This construction, however, is vulnerable: it may be easy to guess a missing 
part of the password (after all, the most frequent vowels /e/ and /a/ always 
are substituted by a letter from the password, if this has length 5 or more). 
A small consolation is that the password should not need much fill. 

More cunning methods use therefore a reordering of the password; for exam¬ 
ple, by writing it first in lines and reading it in columns (method of Charles 
Wheatstone, 1854, a transposition to be treated methodically in Sect. 6.2): 

SECURITY a e i lorux 

ABDFGHJ K bfjmpsvy 

LMNOPQVW cgknqtwz 

X Z d h 


This yields the alphabet 


1 Allowing repetitions is bad: it leads to polyphones, e.g., the ‘key-phrase’ cipher 
abcde fghij lmnopqr stuvxyz 
LEGOUVERNEMENTPROVISOIRE 
and shortens the cryptotext character set (here to 13 characters {EGILMNOPRSTUV}; 
(t>, g, j, m, z}i—>{E}, (d, r, v}i—»{0}, {h, q, y}e^{R}, {f,s}i-^{V}, {i,n}i-^{N}, {t,x}>->{I} ). 
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abcde f g h i j k lmnopqrs t uvwxy z 
SALXEBMZCDNU F ORGPIHQTJVYKW 

or in cycle notation 

(ashzwvjdxyknoriclutqpgmfb) (e) 
with the 1-cycle (e). 

A further method fills also the columns of the plaintext side in the alphabetic 
order of the letters of the password, in the example in the order 

third, second, sixth, fifth, first, seventh, fourth, eighth column 
with the result 


s 

E 

C 

U 

R 

I 

T 

Y 

n 

cl 

a 

u 

k 

h 

r 

X 

A 

B 

D 

F 
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o 

e 

b 

V 
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L 
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Q 

V 

W 
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m 

j 

t 

z 


X Z q g 

This results in the alphabet 

abcde f g h i j klmnopqrstuvwxy z 
CDNEBMZ I HQRG P SALXTJVUFOYKW 

or in cycle notation 

(acnsjqxykrtvfmplgzwo) (b cl e) (hi) (u) . 

The suppression of repetitions in the password can also be used for the con¬ 
struction of cycles. The sentence Bazeries used evitez les courants d’air, 
“avoid drafts” (Sect. 7.5.3) produces the cycle 

N 

V -4—>- V : (evitzlscourandbfghjkmpqxy) 

3.2.6 Enumeration. The following table gives for TV = 26 , for TV = 10 and 
for TV = 2 a survey of the number Z(N) of available alphabets V -<—>- V : 


number of permutations 

Z(N) 

Z( 26) 

Z( io) 

Z(2) 

total 

TV! 

4.03 • 10 26 

3 628 800 

2 

monocyclic 

(TV - 1)! 

1.55 • 10 25 

362 880 

1 

reflections total 

«(f)f+ 2 

5.33- 10 14 

9 496 

2 

genuine reflections 

derived from mnemonic passwords 


7.91- 10 12 
10 4 ... 10 6 

945 

1 


3.2.7 Cipher disks and cipher slides. To mechanize a substitution, the 
fixed matching of the plaintext and the cryptotext characters, as found in 
the substitution notation, can be arranged on a cylinder or on a strip. Two 
windows allow one to see just two matching characters at any given moment. 
The windows can be arranged so that only the master sees the plaintext 
character, while the clerk only sees the cryptotext window and cannot grasp 
the meaning of the message (Sect. 7.5.2, Gripenstierna’s machine, Fig. 66). A 
selection from the TV accompanying shifted alphabets is obtained if one of 
the windows can be moved. 
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Fig. 26. 

Cipher disk (left-hand side) of 
Leone Battista Alberti, 1466 
(Lange-Soudart 1925) 
and (right-hand side) of 
Jacopo, 1526 


Another possibility is to shift the plaintext alphabet with respect to the 
cryptotext alphabet. This leads to the use of a pair of disks (Alberti cipher 
disk, Silvestri cipher disk, Fig. 26) or a pair of strips (Fig. 27). In the latter 
case it is necessary to repeat one of the alphabets (duplication). The chosen 
key letter is to be placed opposite a basic mark (French repere). 


|a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t|u|v|w|x|y|z|a|b|c|d|e|f|g|h|i|j|k|l|m| ... 

|s|e|c|u|r|i |t|y|a|b|d|f|g|h| j |k|l|m|n|o|p|q|v|w|5^z] 

Fig. 27. Cipher slide with duplicated plaintext alphabet (key g, basic mark S) 

Cipher disks (French cadran , German Chiffrierscheibe), mechanical tools for 
general substitution with shifted mixed alphabets, were described as early 
as 1466 by Leone Battista Alberti 2 (for an 18th/19th century version, see 
Plate B). Cipher slides (French reglette , German Chiffrierschieber ) were used 
in Elizabethan England around 1600. In the 19th century they were named 
Saint-Cyr slides after the famous French Military Academy. Cipher rods 
(French batons, German Chiffrierstabchen) serve the same purpose. 

3.2.8 Cycles with windows. Mechanizing a monocyclic permutation can 
also start from the cycle notation. The cycle of characters is again arranged 
on a cylinder or on a strip (in the latter case the first character must be 
duplicated). Two neighboring windows allow just two characters to be seen 
at any given moment, the left one of which is the plaintext character, the 
other one the corresponding cryptotext character. 

A selection from the (up to N) accompanying powers of a mixed alphabet 
is obtained if the distance between the windows can be changed. In the case 
of a strip, it is then necessary to duplicate the whole cycle. The q -th power 
of the monocyclic permutation is obtained if the windows have a distance of 
q characters (Fig. 28 for q = 14). 

Jr- — -1 

|s|e|c|u|r|i|t|y|a|b|d|f|g|h| j|k|l|m|n|o|p|q|v|w|x|z|s|e|c|u|r|i|t|y|a|b|d|f|g| ... 

Fig. 28. Cipher strip with windows for powers of an alphabet 

2 In Alberti’s illustration, differing from modern usage, capital letters are used for plain¬ 
text, small letters for cryptotext. The character /et/ presumably stands for the sym¬ 
bol & . The initial setting of the disk is established by lining up a key letter, say D , 
with a fixed character, say /a/. 
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3.3 Case V (1) — W m (Multipartite Simple Substitutions) 

3.3.1 m= 2, bipartite simple substitution V W y W 2 . Substitu¬ 
tion by bigrams (bipartite substitution) was known in antiquity, and Polybios 
described a quinary (|W|= 5) bipartite substitution for Greek letters. In a 
modern form, Z 2 5 is inscribed into a 5x5 checkerboard: 
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Decryption with the ‘Polybios square’ on the right hand side gives for the 
text semagram 

33515141234333514512432411343411343442331144424333 
of Sect. 1.2, Fig. 3, the plaintext 

need mo neyforassassi nation 

While Polybios described how torches can represent the numbers 1-5, knock 

signals are used for it in more modern times. The special Z 25 -y Z$ x Z, 5 

cipher above is the ubiquitous, truly international knock cipher, used in jails 
from Alcatraz to Ploetzensee by criminals as much as by political prisoners. 
The normal speed of transmission is 8-15 words per minute. 

In Czarist Russia, such a knock-cipher (with the Russian alphabet in a 6 x 6 
square) was common and came to Western Europe with Russian anarchists as 
part of the ‘Nihilist cipher’ (Sect. 9.4.5), it was also used steganographically, 
see Sect. 1.2. Arthur Koestler, in Sonnenfinsternis, and Alexander Solzhe¬ 
nitsyn, in The Gulag Archipelago , reported on its use in the Soviet Union. 

In general, a password is used, which is inscribed line by line and the remain¬ 
ing characters filled in. The count Honore de Mirabeau, a French revolu¬ 
tionary in the 18th century, used this method in his correspondence with the 
Marquise Sophie de Monnier—he, too, used it steganographically and added 
6 7 8 9 0 as nulls. 

The ADFGVX system, invented by Fritz Nebel (1891-1977), which was in¬ 
stalled in 1918 on the German Western Front under Quartermaster General 
Erich Ludendorff for wireless transmission (for the cryptotext alphabet Zq 
see Sect. 2.5.2), worked with \W\= 6 and checkerboards like 
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Rectangular arrays are used, too. Giovanni Batista Argenti, around 1580, 
used the following scheme (with W = Z 10 ) 
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constructed in accordance with Bellaso from a password. 

In general, the bipartite substitution leaves ample space for homophones: 
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In this example the character 0 may serve as a null. 0, originally nulla 
ziffra , still is not taken seriously everywhere. 

Preferably, homophones should smooth out the character frequencies in the 
cryptotext. Since the letters etaonirshin English have altogether a 
frequency around 70 % a good balance is reached by 
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9.45 % 


Another method uses a 4-letter password and decides in this way on the 
outset of the cycles (00...24), (25. .. 49 ), (50...74), (75. ..99) in defining (with 
V = Z 25 and W = Z 3 0 ) a homophonic cipher, e.g., with the password KILO: 

abcdefghiklmnopqrstuvwxyz 
K 16 17 18 19 20 21 22 23 24 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 

I 42 43 44 45 46 47 48 49 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 

L 65 66 67 68 69 70 71 72 73 74 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 

O 87 88 89 90 91 92 93 94 95 96 97 98 99 75 76 77 78 79 80 81 82 83 84 85 86 

A denary (|JF| = 10) bipartite cipher does not have to have homophones— 
the substitution does not have to be surjective and some pairs can be left 
unused. Such a cipher was used by the Swedish baronet Fredrik Gripenstier- 
na in 1786—possibly based on a proposal of Christofer Polhem, if not of 
Athanasius Kircher. A funny form of a bipartite cipher with homophones was 
agreed upon during the development of the atom bomb by Brig. Gen. Leslie 
R. Groves and Lt. Col. Peer da Silva in Los Alamos (Fig. 29), to be used in 
telephone conversations for veiling special names and places. The point is 
that it takes time to look up the letters, and thus homophones are selected 
more at random than normally, when the encipherer is biased. 

3.3.2 m = 3, tripartite simple substitution ->- W 3 . Substitu¬ 

tion by trigrams (tripartite substitution) was proposed by Trithemius in the 
Polygraphice and by Johannes Balthasar Friderici 1685, with |W|=3 (note 
that 3 3 = 27 > 26) for steganographic reasons. Otherwise, ternary substitu¬ 
tions like this one are rare. 
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Fig. 29. 

Bipartite cipher, 

used in Los Alamos in 1944 

for telephone conversations 


1234567890 
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3.3.3 to = 5, quinpartite simple substitution V d) - y W 5 . Sub¬ 

stitution by groups of five cryptotext characters (quinpartite substitution) 
with \W\= 2 was used by Francis Bacon in connection with steganographic 
means (note that 2 5 = 32 > 26). Quinpartite binary encryption was resur¬ 
rected in the cipher machine of Vernam in 1918 (Sect. 8.3.2) and during the 
Second World War in the cipher-teletype machines Siemens T52 ( Geheim- 
schreiber ) and Lorenz SZ40/42 ( Schliisselzusatz ), see Sect. 9.1.3 and 9.1.4. 

3.3.4 to = 8, octopartite simple substitution V d)-y W 8 . Again 

with \W\ = 2 (8-bit code, binary EBCDIC code, ASCII code with checkbit), 
this octopartite simple substitution coincides with monopartite substitution 
by bytes (^ 256 ) in modern computers. 


3.4 The General Case Rd) —-y w (m ), Straddling 

The general case pd)-^ w( m ) plainly invites the use of nulls and homo¬ 

phones. 

Simeone cle Crema in Mantua (1401) used just homophones (with m = 1). 
With to = 2 , apart from the use of homophones and nulls an important new 
thought comes into play: straddling (German Spreizen) of the alphabet, the 
mapping of P into W 1 U W 2 . A cipher used at the Holy See, the papal 
court, devised by Matteo Argenti after 1590, shows homophones, nulls, and 
straddling. For an alphabet Z 2 o enriched by /et/,/con/,/non/,/che/and 

with 5, 7 serving as nulls, the encryption steps Z jjj-y Z 2 0 U Z\ Q U Z® 0 

are (with precedence from left to right) 

che con non et a b c cl e f g h i 

44 64 00 08 1 86 02 20 62 22 06 60 3 

82 

lmn opqr s tvze 
24 26 84 9 66 68 28 42 80 04 88 5 

40 7 
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3.4.1 Caveat. Encryption steps with straddling are subject to the restric¬ 
tion that the encryption induced by them should turn out to be left-unique— 
this means that the hiatuses between the one-letter and the two-letter cipher 
elements and thus the correct decomposition are well determined. As stated 
in Sect. 2.4, G. B. and M. Argenti were aware of this. Their ciphers fulfill the 
following conditions: W is divided up into characters used for one-character 
cipher elements, W' = {1, 3, 5, 7, 9} and characters used for two-character 
cipher elements to begin with, W" = {0, 2, 4, 6, 8} . The Argentis made the 
mistake of restricting also the second character of these to W" . This exposes 
the straddling. Otherwise, they made some more practical recommendations: 
to suppress the u following the q and to suppress (Alberti) a doubled letter. 

The so-called spy ciphers used by the Soviet NKVD and its followers are 
straddling ciphers. They have been disclosed by convicted spies. By analogy 
with Polybios squares they are described by rectangular arrays too, e.g., 



0 

1 

2 

3 

4 

5 

6 

7 

8 

9 


s 

i 

o 

e 

r 

a 

t 

n 



8 

c 

X 

u 

d 

j 

P 

z 

b 

k 

q 

9 


w 

f 

1 

/ 

g 

m 

y 

h 

V 


where the first line contains the one-letter cipher elements. 

With W = Z io 28 cipher elements are obtainable, enough for Z 2 6 and two 
special characters, . for ‘stop’ and / for letter-figure swap. Because this 
cipher was subjected to further encryption (‘closing’, Sect. 9.2.1), it was toler¬ 
able to encrypt figures—after sending a letter-figure swap sign- by identical 
figure twins, a safeguard against transmission errors. 

For the construction of this array passwords have been used, too. Dr. Per 
Meurling, a Swedish fellow traveler, did it 1937 as follows: He wrote down 
an 8-letter password (M. Delvayo was a Spanish communist) and below it the 
remaining alphabet; the columns were numbered backwards: 



0 

9 

8 

7 

6 

5 

4 

3 

2 

i 


m 

d 

e 

1 

V 

a 

y 

o 



1 

b 

C 

f 

g 

h 

i 

j 

k 

n 

p 

2 

q 

r 

s 

t 

u 

w 

X 

z 


/ 


This procedure had the disadvantage that not at all the most frequent letters 
obtained 1-figure ciphers. This disadvantage was also shared by the method 
the Swedish spy Bertil Eriksson used in 1941: He numbered the columns 
according to the alphabetic order of the letters occurring in the password, in 
his case pausomvejk: 



6 

0 

8 

7 

5 

4 

9 

i 

2 

3 


r 

t 

w 

X 

y 

z 





3 

P 

a 

u 

s 

0 

m 

V 

e 

j 

k 

9 

b 

c 

d 

f 

g 

h 

i 

1 

n 

q 


The password was taken from a Swedish translation of Jaroslav Hasek’s novel 
Pans, som Svejk sjalv avbrdt... . Since encryption of the most frequent let- 



3-4 The General Case V ^ —■>- W^ m \ Straddling 57 


ters by 1-figure ciphers also shortens the telegraphic transmission time, the 
NKVD arrived in 1940 at a construction method that took this into account. 
Max Clausen, wireless operator of the Russian spy Dr. Richard Sorge in 
Tokyo, had to memorize the sentence “a sin to err” (very good advice for a 
spy), containing the eight most frequent letters in English, 65.2% altogether. 
Beginning with a password /subway/, a rectangle was started and filled with 
the remaining letters. Thereupon, columnwise from left to right in the or¬ 
der of their appearance, first, the letters from the set {a s i n t o e r} were 
assigned the numbers 0 ... 7; second, the remaining letters were assigned the 
numbers 80... 99: 


s 

u 

b 

w 

a 

y 

0 

82 

87 

91 

5 

97 

c 

cl 

e 

f 

g 

h 

80 

83 

3 

92 

95 

98 

i 

j 

k 

1 
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n 

1 

84 

88 

93 

96 

7 

o 

P 

q 

r 

t 

V 

2 

85 

89 

4 

6 

99 

X 

z 


/ 



81 

86 

90 

94 




In this way, the Polybios rectangle marked above by (*) is obtained in more 
compact notation. 

For the cyrillic alphabet, a subdivision into seven 1-figure ciphers and thirty 
2-figure ciphers, altogether 37 ciphers, is suitable; it allows 5 special charac¬ 
ters. A method that was given away by the deserted agent Reino Hayhanen, 
an aide to the high-ranking Russian spy Rudolf Abel, used a Russian word 
like CHETOIIAil (‘snowfall’), the first seven letters of which have a total 
frequency of 44.3 % . The rectangle was formed as usual 


C 

H 

E 

r 

O 

n 

A 




B 

B 

R 

w 

JX\ 

3 

VL 

M 

K 

JI 

M 

P 

T 

y 

$ 

X 

II 


in 

III 

T> 

BI 

B 

9 

K> 

fl 







and then rearranged with the help of a key that was changed from message 
to message and was to be found at a prearranged place within the cipher 
message. Finally, a closing encryption (Sect. 9.2.1) was made. 

3.4.2 Russian copulation. On this occasion, it was also disclosed that the 
Russians used what became to be called “Russian copulation”: the message 
was cut into two parts of roughly the same length and these parts were joined 
with the first after the second, burying in this way the conspicuous standard 
phrases at beginning and end somewhere in the middle. 

Winston Churchill called Russia “a riddle wrapped in a mystery inside an 
enigma.” This is also true for Russian cryptology. 



4 Encryption Steps: 

Polygraphic Substitution and Coding 


Simple (monographic) substitution requires a complete decomposition of the 
plaintext in single characters. A polygraphic substitution allows polygraphic 

encryption steps, i.e., encryption steps of the form V^ ->- W (m) with 

n > 1. 


4.1 Case V 2 — W (m) (Digraphic Substitutions) 


4.1.1 Graphemes. The oldest polygraphic encryption of this type is found 
in Della Porta’s De furtivis literarum notis of 1563 (Fig. 30), a mapping 
V 2 s- W 1 . Porta showed great ingenuity in inventing 400 strange signs. 



Fig. 30. 

Old digraphic substitution by 
Giambattista Della Porta, 1563 
(Giovan Battista Porta) 
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4.1.2 Bipartite digraphic encryption step V 2 ->- V 2 . For its 

representation mostly a matrix is used. In case V 2 -4—5- V 2 , it is a bigram 
permutation. 

2 

In the following, an example V 2 -4—>- V 2 of a self-reciprocal bigram per¬ 
mutation is given: 



a 

b 

c 

cl 

e 

f 

g 

h 

i 

j 

k 

1 

m 

n 

o ... 

a 

xz 

KJ 

YJ 

HP 

PL 

EL 

VB 

CI 

DW 

XN 

ZL 

YP 

VN 

HH 

cc 

b 

LP 

QT 

HE 

RS 

UR 

CR 

ZH 

GV 

WC 

HL 

YN 

KT 

WT 

MC 

KH 

c 

DX 

MN 

AO 

NH 

SF 

GI 

WL 

MN 

AH 

GR 

BZ 

HS 

ZU 

YM 

wu 

d 

KM 

YZ 

RY 

FP 

TR 

CR 

XE 

JK 

NY 

PO 

GJ 

JR 

PE 

MO 

VB 

e 

QU 

HP 

QG 

JQ 

YQ 

OB 

SA 

NL 

PX 

OP 

VS 

AF 

XK 

XR 

UQ 


The self-reciprocal character (ao i—> CC , cc i— >AO ; ah i—> Cl , ci i—> AH ; 
af i—> EL , el i— >af) is not superficially discernible. 

Further enciphering steps V 2 -4—>- V 2 can be obtained again with the help 
of passwords, e.g., with /america/ and /equality/ : 



a 

m 

e 
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i 

c 

b 

cl 
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e 

xz 

KJ 

YJ 

HP 

PL 
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DW 
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AH 

GR 
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HS 
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a 

KM 
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NY 
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PE 

MO 

VB 

1 

QU 

HP 

QG 
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YQ 

OB 

SA 

NL 

PX 

OP 

VS 

AF 

XK 

XR 

UQ 


(with the effect that the self-reciprocal character disappears and the encryp¬ 
tion work becomes more cumbersome). 

Establishing a matrix needs the thorough work of a cryptologist in leveling 
the frequencies of the letters (Sect. 3.1.2). An imitation of the frequency 
distribution of the letters in the language concerned, thus feigning a trans¬ 
position, is possible. The ideal result is a matrix which has in every line and 
in every column every letter occurring just once as first and once as second 
letter, e.g., 


AB BC CA 
CC AA BB or 
BA CB AC 


AC BA CB DD 
BD AB DA CC or 
DB CD BC AA 
CA DC AD BB 


AA BB CC DD EE 
BC CD DE EA AB 
CE DA EB AC BD 
DB EC AD BE CA 
ED AE BA CB DC 


Such matrices are called ‘Greek-Latin squares’. Apart from the case N = 6 
(‘36-officer problem’ of Euler, 1779), for all natural numbers N > 2, Greek- 
Latin squares exist, usually several. 
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In any case, the example given by Helen Fouche Gaines 


AA 

BA 

CA 

DA 

AB 

BB 

CB 

DB 

AC 

BC 

CC 

DC 

AD 

BD 

CD 

DD 


is not suitable: it results in a monographic 2-alphabetic encryption (poly- 
alphabetic encryption, Sect. 8.2) succeeded by pairwise swapping of letters. 
The following table gives for TV = 26 , for TV = 10 , and for TV = 2 a survey 
of the number Z(N) of available squares V 2 -4—>- V 2 (cf. Sect. 3.2.6): 


number of squares 

Z(N) 

Z( 26) 

Z( 10) 

Z(2) 

total 

TV 2 ! 

1.88-10 1621 

9.33 • 10 157 

24 

genuine reflections 


7.60 • 10 809 

2.72 • 10 78 

3 
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Fig. 31. Bipartite digraphic encryption of the RSHA call signals in Norway 

A classical example is given by Fig. 31, a V 2 -< —s- V 2 step for the encryption of 
call signals of the R.S.H.A. radio key net in Norway. Ten such tables were fa¬ 
bricated in Amt VI (headed up to 1941 by Jost, then Schellenberg), the For¬ 
eign Intelligence section of Himmler’s R.S.H.A. (Reichssicherheitshauptamt ), 
possibly by Andreas Figl (1873-1967). The R.S.H.A. got hold of the Austrian 
retired Colonel Andreas Figl, former head of the Austrian ‘Chiffrengruppe’, 
together with useful documents, in 1938, when Austria was occupied (An¬ 
schluss). The importance of this booty was “discovered” by the young Austri¬ 
an SS-Sturmbannfiihrer Wilhelm Hottl, later (since 1943) deputy head of the 
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Vienna desk of group VIE 1 . Figl, held until mid-1941 in “custody” by the SS, 
worked as an “advisor” and “instructor” in Berlin-Wannsee. 

Hottl also helped Amt VI of the R.S.H.A., employing from mid-1944 onward 
a group of Hungarian army cryptologists at Budapest, headed by Major Bibo 
who in 1944 succeeded in penetrating Allen Dulles’ Bern-Washington traffic. 
Figl, a very shrewd cryptanalyst, was Captain when in 1911 he built up 
the cryptanalytic bureau of the k.u.k. Armee, in the best tradition of the 
Viennese court. In 1915 Major Figl solved Italian cryptograms, and in 1926 
he had the rank of Colonel, when he wrote a good textbook, Systeme des 
Chiffrierens (243 pages with 45 supplements, Graz 1926). A planned second 
volume, Systeme des Dechiffrierens, was in 1926 not allowed to be printed; a 
copy, but not the original of the manuscript, now is accessible (see p. 500). 
The German Auswartiges Amt used self-reciprocal bigram tables in a lowgra- 
de cipher (‘ Spalierverfahren ’), less secure than GEE (8.8.7) and GEC (9.2.1). 


4.1.3 Naval ENIGMA. Properly self-reciprocal bipartite digraphic en¬ 
cryption was used from May 1, 1937 for the superencryption of the indicators 
( Spruchschliissel ) that preceded the wireless messages, encrypted by the Ma¬ 
rine ENIGMA with basic wheel setting (see Sect. 7.3.8). There was a choice 
between ten such tables with names like BACH (1940), FLUSZ (1941,Fig. 32), 
STROM (1941), TEICH, UFER, etc. that had been in use; they were known to 
the British who had seized them (17-110, May 1941, Gedania, June 1941; VP 
5904, January 1942; 17-505, June 1944), and later also reconstructed them. 
The procedure was as follows: Two trigrams were chosen at random, say 
S W Q and R A F, and arranged into the scheme 


that was filled with dummies (‘padding letters’): 


* S W Q 
RAF* 

X S W Q 
R A F P 

The encipherment by a bigram table (say Fig. 32) was done with vertical pairs 
3 - G ' W - V ; this gives: ? g V X 


x v „ 

R I ’ A F 


W,. V 
F T 


The indicator was formed by reading out (vertically) VIGF VTXT; this was sent 
without further encoding, preceding the encrypted message. On the receiving 
side, the procedure was applied backwards: first the splitting of the indicator 
into two halves, then the (self-reciprocal) bipartite digraphic substitution and 
the removal of the dummies, i.e., the reconstruction of the original trigrams. 
In this way, a key was negotiated between the two parties. The procedure 
seemed complicated enough to lull those who invented it into a sense of 
security. For the British, the obstacles nevertheless were surmountable. A 
conjecture Turing had before the end of 1939 was confirmed when the German 
patrol boat Polares was seized in 1940; in 1941 the British then succeeded in 
reconstructing the bigram tables after a few ones had been ‘pinched’. 


1 After the Second World War, Dr. Wilhelm Hottl (1915-1999) played an unsuccessful role 
in the Austrian right-wing party Wahlpartei der Unabhangigen; he was arrogant (“I was 
one of Hitler’s Master Spies”) and also wrote books (The Secret Front, 1954 and under 
the pseudonym Walter Hagen The Paper Weapon, 1955). 
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iMfnr.tI53_6 

jfaimmri: sms ©oppclbii^ffoCciifmiftl)tofel fiir Stenngnippen — Srtfcl B 

_4S_ ...... . .d __ M . _ M __4L__ m .... ..sc _ . no __ HF Cli cf ai "Dn 


Aa = rn 

IU = IK 

Ca » K.r 

Da = pk 

= tc 

Fa = xp 

Ga = ne 

II Ac JR 

1a s= NN 

JA = WE 

l<A==Et 

La = eu 

Ma==rg 

n = k\v 

B ==RT 

B = PO 

B =EZ 

n = .ix 

B =01 

B = JO 

B = NO 

B ss VF 

B — OY 

B =GW 

B s= RH 

B = IP 

C = FM 

C = EY 

C = .1V 

C = AW 

C = OM 

C = IU 

C = BK 

C=GY 

C = DN 

C =s NQ 

CbIm 

CssVO 

C == WW 

D = YE 

D = AK 

DsBH 

D ss JM 

D = Tv!.l 

D = RB 

D = FL 

D = TB 

D = FW 

DssKK 

D = SE 

D = YA 

D = TA 

E=NR 

E = OW 

E = MZ 

e = vvn 

E = NY 

E = PA 

E ss ZT 

E =Zt 

E ==RP 

E ss TN 

E ss AG 

E ss CV 

E s= BQ 

F = UC 

F eWQ 

F <=EK 

F =XY 

F = AS 

F =DZ 

F t=SA 

F =QY 

F = EO 

F c VS 

F s= JH 

F ss SC 

F=KV 

G = KE 

G = QA 

G — KT 

G = Z A 

G = PU 

G ss NV 

G=LR 

G = OA 

G = WS 

G = FR 

GbsPN 

G==JU 

G = NS 

II ss XU 

H — ZZ 

11 = A7. 

n*=ns 

II = WO 

11= ZK 

H = TP 

H as CU 

H ss NU 

HssKF 

HbsDT 

H=sZQ 

Hss VK 

1 = PC 

I - OG 

I ssND 

1 s= IvlT 

1 = KA 

1 = QR 

1 =MW 

1 =QS 

I =TM 

I SB PM 

I =LV 

I bsRX 

I S3 XC 

J ==JP 

.T = HQ 

J = TQ 

J s=OE 

J =CZ 

J = LN 

J ss AU 

J = IS 

J ==XO 

J bSV 

J =CA 

J = wz 

J = ED 

K== BD 

K= GC 

K = GX 

K= FP 

K sa CF 

K = EL 

K = QN 

K= PG 

K = BA 

k ss It 

K = JD 

Kb EM 

KbsZF 

L = Qt 

Lss PR 

L = RE 

L = RI 

L = FIC 

L = GD 

L = WH 

L«KR 

L — MS 

L ss UP 

Lbs TO 

Ls=OK 

L ss DR 

M= I1T 

M= CD 

M= WA 

M=VV 

M=LK 

M= AC 

M= PB 

M=SF 

M=KC 

M=DD 

M=BW 

M=TR 

M=SU 

N = MR 

N = NL 

N = OS 

ri = ic 

II as TY 

N = CP 

N= OX 

N = SZ 

N = QZ 

NbPX 

N==UX 

NbsFJ 

N==LO 

o = nz 

o = us 

0 = DY 

0 = YJ 

o = If 

0 = VE 

0 = JT 

O ss FY 

O = YV 

O ss GB 

O ss QC 

0 = MN 

Os=NX 

P =Xl 

P = sx 

P ss FN 

PsHF 

P =NC 

P=DK 

P = RY 

P = MX 

P = MB 

P = AJ 

P =VJ 

P = BT 

P = FZ 

Q = OZ 

Q = ME 

Q =QF 

Q =GU 

Q ==WV 

Q =PY 

Q =1Z 

Q =BJ 

Q == OV 

Q ss XH 

Q s=RS 

q = iv 

q =oj 

R = UK 

R = YN 

R =XJ 

R = ML 

R = KS 

R=JG 

R = CY 

R = OP 

R = SH 

R = HA 

R = HL 

R==GG 

R == AN 

s = rcp 

S = DI! 

s =zn 

S « QG 

S = QW 

S =UE 

S = RF 

S c RJ. 

S =HJ 

S =YZ 

SssER 

S = NW 

S = tL 

T= IY 

T = LP 

T s= SW 

TaKII 

T = XD 

T = SR 

T = XV 

T sb AM 

Ts= JK 

T = GO 

T = CG 

T S3 UP 

TssDl 

U = GJ 

U = XIC 

u==nn 

u==\vn 

U=LA 

u = wx 

U = DQ 

U ss UQ 

U = FC 

U==LG 

u==xz 

UssXW 

UssBY 

V =QU 

V =Tt 

V =s I,E 

V = MW 

V = RL 

V as TL 

V = UM 

V s= LZ 

V ss LQ 

V =CC 

V =MF 

V==Kl 

V = UT 

W = DC 

W=KM 

W= VP 

v/= so 

V7=SK 

W= ID 

W= KB 

W= DV 

W= PH 

W=QL 

W=AB 

WbsPW 

Wb=GI 

x = uv 

X = VY 

X== UG 

X = HT 

x = uz 

X = YS 

X = CK 

X = WJ 

XbUD 

XssED 

X ss ZY 

XbsPP 

X ss: HP 

Y = SG 

Y = HU 

Y = GR 

Y = CO 

Y = 11C 

Y = no 

Y = IIC 

Y = VN 

Y = AT 

YbTU 

YbNZ 

Y = QD 

YssVB 

Z = CII 

ZrrAO 

Z = Y1 

Z = FF 

Z = DO 

7 . = M P 

Z ==EJ 

Z s= YD 

Z ==GQ 

Z S3 UV/ 

Z = WP 

Z = HV 

Z = CE 


fforlfctjuno f. SJIUIifJfc! 



Fig. 32. Self-reciprocal bigram table FLUSZ (June 1941) of the Kriegsmarine 


New sets of nine bigram tables were introduced on July 1,1940, June 15,1941, 
Nov. 1,1941, March 1,1943, July 16,1944; a set of 15 was planned for May 1945. 

The British should have been warned by their own successes about relying 
on bigram tables. Nevertheless, the British Merchant Navy used bipartite di¬ 
graphic substitution for the superencryption of their BAMS code. The code- 
bookfell into German hands on July 10, 1940, when the German raider At- 
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Fig. 33. Bipartite digraphic substitution ( Geheimklappe) 
for the superencryption of numeral codes 

lantis seized the vessel City of Bagdad in the Indian Ocean. The B-Dienst 
of the German Kriegsmarine was successful until 1943 in stripping off the 
superencipherment of allied ships’ radio signals. 

For the superencryption of numeral codes a permutation Z( Q -4—y Z( 0 , as 
specified by the Geheimklappe , suffices. This was a bipartite digraphic substi¬ 
tution introduced in March 1918 by the Germans for tactical communications 
on the Western Front, with one table for enciphering and one table for de¬ 
ciphering (Fig. 33). Towards the end of the First World War, this bipartite 
digraphic substitution was changed every day. 

John Tiltman, ‘Chief Cryptographer’ of GC&CS, broke in 1942 a Japanese 
military attache code with superencrypted queer digraphic substitutions. 

4.1.4 Tripartite digraphic substitution V 2 —y W 3 . It is sometimes 
used, e.g., the denary tripartite digraphic substitution (V = .Z 26 , W = Z 10 ): 

a b c cl e 


a 

148 

287 

089 

623 

094 

b 

243 

127 

500 

321 

601 

c 

044 

237 

174 

520 

441 

d 

143 

537 

188 

257 

347 


Cryptanalytically, V 2 -y IW"' falls for arbitrary n into one and the same 

class and can be interpreted as a | V | -fold homophonic simple substitution 
of the odd-numbered letters plus a | V | -fold homophonic simple substitution 
of the even-numbered letters. Correspondingly, it is trivial to break the 
encryption, if, as in the example V 2 s — >~V 2 of Helen Fouche Gaines, a 
standard cipher table is used, provided there is enough material available. 
Eyraud points out that in particular the method of cutting the message into 
halves, writing them in two lines, and using digraphic substitution for vertical 
pairs, is a complication illusoire. 
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4.2 Special Cases of Playfair and Delastelle: 
Tomographic Methods 

4.2.1 Playfair cipher. In 1854, Charles Wheatstone invented a special 
bipartite digraphic substitution (Fig. 34); his friend Lyon Playfair, Baron of 
St. Andrews, recommended it to high-ranking government and military per¬ 
sons. The system may have been used for the first time in the Crimean War 
and was reportedly used in the Boer War; the name of Playfair remained 
attached to it. The military appreciated it as a field cipher because it needed 
neither tables nor apparatus. The British Army adopted it around the turn 
of the century and continued to keep it secret. Nevertheless, in the First 
World War, by mid-1915, the Germans could solve it routinely. 

The PLAYFAIR encryption step goes as follows: From a password, a per¬ 
muted alphabet Z 25 (say, omitting the J of Z 2 &) is inscribed into a 5x5 square 
(French damier): 2 
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R 

s 
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G 

B 

c 
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w 

V 
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X 
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z 
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M 

E 

P 

A 


and this is thought to be closed like a torus, such that the two examples 
mean the same. Now, if the two letters of a bigram stand in one and the 
same line (or column), each is replaced by the letter to its right (or beneath 
it, respectively); e.g., both squares yield consistently 

am 1 —> LE , dl 1 —> KT . 

Otherwise, the first letter is replaced by the letter in the same line, but in the 
column of the second letter; likewise the second letter is replaced by the letter 
in the same line, but in the column of the first letter (“crossing step”, French 
substitution orthogonale et diagonale). Thus 

ag 1 —► EC , ho 1 —> qr . 

The step is undefined if the bigram is a doubled letter 3 or if the final letter 
is unpaired. This situation is avoided by inserting x : 

ba 11 00 n is replaced by ba lx lo on ; le ss se ve n by le sx sx se ve nx . 

This is a dangerous weakness. Notwithstanding, the PLAYFAIR step fasci¬ 
nates by its relative simplicity. But because of the torus symmetry its com¬ 
binatorial complexity is even less than that of a simple substitution. 

In the third case above, the PLAYFAIR step can be interpreted as a com¬ 
position of mappings: a mapping of the plaintext bigram into a pair of line- 


2 Wheatstone actually used alphabets that were better mixed (Sect. 3.2.5), and rectangular 
matrices. These important safety measures were soon dropped. 

3 The advice of Leone Battista Alberti (1404-1472), in his De cifris, to suppress doubled 
letters altogether (Sect. 3.4.1), was probably forgotten. 
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Fig. 34. Description of the PLAYFAIR cipher, signed by its 
inventor Charles Wheatstone, March 26, 1854 
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and-column coordinates, a permutation of the column coordinates, and re¬ 
translation into a bigram (similar to a spoonerism, Sect. 6.1.2): 



1 

2 
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4 

5 

1 

P 

A 

L 
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E 
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R 
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0 

N 

3 

B 

C 

D 
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H 

I 

K 

Q 
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5 

V 

w 

X 

Y 

z 


Such compositions of encryptions, that amount to a decomposition and re¬ 
combination, are called tomographic or fractionating methods ( l chiffres a 
damiers ’, Auguste L. A. Collon, 1899); we shall study them in Sect. 9.4.4 . 


4.2.2 Modified PLAYFAIR. It was introduced in early 1940 by the Ger¬ 
man Army and the SD (Sicherheitsdienst , the Nazi party and government po¬ 
litical police) as a Handschliissel —and was, starting about mid-1941, broken 
(until the fall of 1944) by the British at B.P. under Colonel John H. Tiltman 
(1894-1982), who was from 1929 head of the Military Section. It was named 
double casket (German Doppelkas[set]tenverfahren ), also double PLAYFAIR, 
two-table-PLAYFAIR, because it used (say, omitting the J) two different 
5x5 squares, one for the first, one for the second letter of the bigrams, e.g., 
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They were not constructed from passwords, but were formed “at random” and 
then distributed. As in the original PLAYFAIR, bipartite digraphic steps like 
ah i— > AY , nr i— > KP , nb i— > ip 

occur if plaintext letters stand in the same line (closed like a cylinder), in all 
other cases a “crossing step” is used: 

xk i—> LB (as marked above), likewise or i—> MN , bx i—> RY . 

Moreover, the plaintext was cut into groups of predetermined length, so for 
example the message 

anxobergruppenfuehrerxvonxdemxbachxkiewxbittexdreixtausendxschuss 

xpatronenxschickenstopx 

—with /x/ for the space, which was not suppressed (Sect. 2.4.2)—was cut 
into groups of, say, 17 letters and each group encrypted in the following way: 

anxober gruppenfue 
hr e rxvonxdemxbach 

AKFMRZCMMNTRNI ZOW 
YPWNYSWEYVEGHPACH 


This procedure was applied once again: ay i— > XY , kp i— > YC , fw i— > ZW , ... 
so that the final cryptotext, read off in groups of five, amounts to 
XYYCZ WRUPY VQGUT UTKID NESCB IYOVA GGWX 
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The modified PLAYFAIR is, like the classical one, a little bit cumbersome 
and error-prone; this results in frequent queries and brings the danger of 
compromising encryption security (see Chapter 11). The violations on the 
German side helped the British as much as the Prussian predilection to be 
“both methodical and courteous” and to indulge in titles and other formali¬ 
ties. 

4.2.3 Delastelle cipher. A tomographic method in the purest form (“while 
searching for a method of digraphic encipherment that did not require cum¬ 
bersome 26x26 enciphering tables”, Kahn) was published in 1901 by Felix 
Marie Delastelle (1840-1902), author of the Traite Elementaire de Cryptogra¬ 
phic (Gauthier-Villars, Paris 1902): This was a one-to-one bipartite simple 
(i.e., monographic) substitution (very much like a Polybios square), then a 
transposition over four places, finally the same bipartite simple substitution 
in reverse, e.g., 
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The encryption step is self-reciprocal and results in a bipartite digraphic 
substitution, similar to the one in Sect. 4.1.2. For the reverse translation 
another, conjugated bipartite simple substitution can be used; then the self¬ 
reciprocal character disappears. 

A warning of a complication illusoire is appropriate: a mere gliding by one 
place, a Kidissenverfahren (Rohrbach 1948) does not give the wanted effect: 
a b s a 1 o m 

3211151214112423 
HBEODBCX 

The cryptanalyst does not need to reconstruct the square: it suffices to in¬ 
terpret the encryption step as a V -x V 2 with homophones: 

O) IB B 'j f B E 'j SB 

U O A O F O 

a H > X < R , b l-X G > X < R , S K > X < R , 

M D L D Q D 

tJIe sJIe zJIe 

under the side condition of overlaying: 

absalom j--x HB_.BE^EO^OD_DB_BC^CX . 

This opens an unexpected line of attack. 

An earlier example of a numeral tomographic method is found, according to 
Shulman, in a 1876 publication by the Danish engineer Alexis Kphl. It is 
related to a method Pliny Earle Chase invented in 1859 (Sect. 9.5.4). 
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4.3 Cases U 3 —v- W^ m \ V 4 — +- W < m ) 

4.3.1 Gioppi. Trigraphic substitution in full generality soon leads into tech¬ 
nical difficulties. Paper is not three-dimensional, unfortunately, so the listing 
of trigrams is more cumbersome, and 26 3 = 17 576 trigrams is a respectable 
number—a booklet of 26 pages may be needed. Trigraphic substitutions are 
hard to mechanize with simple means—although the use even of small hand¬ 
held computers can help a lot. Special substitutions by trigrams a la PLAY¬ 
FAIR have not been very successful; the count Luigi Gioppi di Turkheim in 
Milano published such a system in 1897. William Friedman dealt around 
1920 with trigram substitutions as well, and that makes them somewhat in¬ 
teresting. In the very special case of linear substitution (Chapter 5) have 
trigraphic substitutions found application by Jack Levine (1958, 1963). 

4.3.2 Henkels. A cipher machine, which mechanically performs a quadru- 
partite tetragraphic substitution, was patented in 1922 for a certain Henkels. 

4.4 The General Case V (n) —>■ : Codes 

Instead of being able to encrypt 26 3 = 17576 trigrams, it may be better 
to be able to encrypt several hundred, thousand, or tens of thousands of 
frequently occurring multigrams of different length; this means that the en¬ 
cryption step operates on a subset C of V^ (with a rather big n); with the 
proviso that every plaintext x £ V* can be decomposed into elements of C : 

x = Xi-kx 2 *X 3 *.. .*Xk (for some k £ IN and suitable Xj £ C C V^ n >) . 
This can be guaranteed by the following ‘single letter condition’: C3b. 

Following Kahn, such an encryption is called a code, if the choice of C is 
determined linguistically: frequent diphthongs, syllables, prefixes, endings, 
words, phrases are listed in a code book together with their code groups. 
The single letter condition guarantees that even queer, curious, strange words, 
including those from biology and chemistry, or names of places, rivers, moun¬ 
tains, and proper names can be encrypted. Of course, it does not mean 
that every word should be resolved into individual letters and every sentence 
should be split into words—on the contrary, the longer the code entry that 
is found, the better; the best resolution is one that needs a minimum of 
code book entries. In full generality, the optimum may not be determined 
uniquely, but this indeterminism does no harm. 

To maintain coding discipline is difficult. In 1918, the Commanding Officer 
of the American Expeditionary Force (AEF) in France had reasons to admo¬ 
nish the staff, that boche , to be spelled with five codegroups, should be re¬ 
placed by German , which needs one codegroup; and that the eighteen code¬ 
groups needed for almost before the crack of dawn were better replaced by 
the two codegroups for day break. Use of codes requires high education, 
since good encoding is a question of intellect; bad encoding helps the unau¬ 
thorized decryptor to break the code. Thus, codes should be disallowed if the 
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right people are not available. In the First World War, a Lieutenant Jager 
from the staff of the German 5th Army did a great service for the foe when 
he signed his well-meaning orders to maintain signal security regularly with 
his name, which, unfortunately, was missing in the codebook and had to 
be spelled letter by letter every time. He “was beloved by his adversaries 
because he kept them up with code changes,” writes Kahn. In 1918, Jager 
endangered both the superencipherment with the Geheimklappe and the new 
codebook, the Schliisselheft. 

Coding discipline on the American side in the First World War was even 
worse, according to the G.2 A.6 Chief, Major Frank Moorman, who felt 
responsible for it; this is explained by a “well-known American disregard for 
regulations—especially ones as persnickety as these” (Kahn). 

In the Second World War things improved slightly. Cryptographic control 
officers were assigned to each headquarters. Still, there were the diplomats. 
The anti-hero is Roosevelt’s diplomat Robert Murphy (1894-1978), who in¬ 
sisted, for prestige reasons, on always using a diplomatic code; the stereo¬ 
typed beginnings “For Murphy” or “From Murphy” helped Rohrbach’s group 
at the German Auswartiges Amt to break the code. Fraulein Asta Friedrichs, 
who took part in this activity, said after the war, as she was detained in Mar¬ 
burg and saw him drive by one day: “/c/i wollte ihn anhalten und ihm die 
Hand schiitteln, —so viel hatte er fiir uns getan.” [I wanted to stop him and 
shake his hand —he’d done so much for us.] 

A 

Fig. 35. Hieroglyphic inscriptions: unusual forms (left) and ordinary hieroglyphs (right) 

4.4.1 Nomenclators. The oldest codings, seen from the Occident, are 
Chinese ideograms—although not perceived as such by the Chinese. Indeed 
the lack of cryptologic achievements in the ancient high cultures of China has 
been explained by the fact that written messages were anyhow understand¬ 
able only for a few. The Egyptian hieroglyphs, however, were based—2000 
years B.C.—on the principle of the rebus and on acrophony. The graphic of 
a ‘rer’ (pig) supplies the character for the letter /r/, the graphic of a ‘wr’, 
meaning a swallow as well as big, supplies the character for the letter /wr/; 
special marks (determinatives) clarify, if necessary, the difference. Hieroglyph 
writing is to a large extent coded writing—if necessary, a word can even be 
decomposed into characters for single consonants. But the secrecy aspect is 
missing. However, it is also missing if diplomats little by little get to know a 
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code by heart and are able to give an impromptu speech in this code, as the 
American consul in Shanghai did in GRAY at his retirement dinner speech 
in the early 1920s (Sect. 4.4.7). 

Where in Egypt inscriptions (Fig. 35) with unusual graphemes are found side 
by side with plaintext, secrecy may not be intended primarily; the pompous 
epigraph on a tombstone should impress and conjure arcane magical powers. 
In the Occident, around 1380 the first mixtures of monographic substitutions 
and polygraphic elements are found, initially for some very frequent words 
only, among them et (see Fig. 26), con, non, che (Sect. 3.4), prepositions, 
adverbs, particles. As soon as these collections became somewhat more volu¬ 
minous, they were called nomenclators. An early example is shown in Fig. 36. 
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Fig. 36. An early nomenclator from Florence, 1554 


Nomenclators kept their great importance during the whole Renaissance time. 
Charles I used a nomenclator with homophones, reconstructed in 1860 by 
Wheatstone: /a/ was represented by 12... 17 , /b/ by 18... 19 , and so on, 
/france/ by 9476 . By 1600, some nomenclators ran to several hundred entries, 
and numeral ones had code groups with up to three digits. 

Nomenclators were also solved. Philip II of Spain gave his envoy Juan de 
Moreo a nomenclator containing about 400 codegroups. Viete worked from 
October 28, 1589 till March 15, 1590 to break the riddle, then he gave the 
complete solution to his king Henri IV. King Philip, who found out that 
a cipher he had thought unbreakable was compromised, complained to the 
Pope that Henri had used black magic. The Pope was better informed: his 
own cryptologist Giovanni Battista Argenti had also served him well, and 
Philip was held up to ridicule. 

In the game of political intrigues, codes played a continuing role, from the 
sentence of Mary Stuart in 1587 to the conviction of the French anarchists 
who had been accused in the trial of Saint-Etienne in 1892 on the basis of 
secret messages Bazeries had solved. 
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In the 17th century, not only the Italian principalities, but every one of 
the great European courts had their Black Chamber, Cabinet Noir, Geheim- 
kabinett. The statesmen had important cryptologists as aides and confidants: 
Louis XIV had Antoine Rossignol, the Czarina had Christian Goldbach, 
Charles II had John Wallis, and Maria Theresia had Baron Ignaz de Koch. 
These people were paid well and knew their importance. Kahn writes: 

“Though Wallis entreated Nottingham not to publicize his solutions for 
fear France would again change her ciphers, as she had done nine or ten 
times before (probably under the expert Rossignol tutelage), word of his 
prowess somehow spread. The King of Prussia gave him a gold chain 
for solving a cryptogram, and the Elector of Brandenburg a medal for 
reading 200 or 300 sheets of cipher. The Elector of Hanover, not wanting 
to depend on a foreign cryptanalyst, got Wallis’ fellow intellectual, Baron 
Gottfried von Leibnitz, to importune him with lucrative offers to instruct 
several young men in the art. When Wallis put off Leibnitz’ query as 
to how he did these amazing things by saying that there was no fixed 
method, Leibnitz quickly acknowledged it and, hinting that Wallis and the 
art might die together, pressed his request that he instruct some younger 
people in it. Wallis finally had to say bluntly that he would be glad to 
serve the elector if need be, but he could not send his skill abroad without 
the king’s leave.” 

Christian Goldbach (1690-1764), from 1742 privy councillor in the Russian 
Foreign Office, deciphered a letter of the French ambassador with unpleasant 
remarks about the reigning czarina Jelisaweta Petrowna, the daughter of Pe¬ 
ter the Great. Sometimes a fiasco happens, like the one the Baron de Koch ex¬ 
perienced, when a letter to the Duke of Modena was sealed by mistake with 
the signet of the Duke of Parma. Nevertheless, the Austrian emperors’ Kai- 
serliche Geheime Kabinetts-Kanzlei continued into the 19th century and was 
able to read among others Napoleon’s and Talleyrand’s correspondence. 

In the New World, too, cryptology assumed importance and fame. George 
Washington had the help of two agents, Sam Woodhull and Robert Townsend, 
with the cover names CULPER SR. and CULPER JR. In 1779 they used a 
nomenclator with about 800 entries, compiled by Major Benjamin Tallmadge. 
Thomas Jefferson (1743-1826), too, concocted in 1785 a nomenclator (Fig. 37) 
for James Madison (1751-1836) and James Monroe (1758-1831). 

4.4.2 One- and two-part books. Around 1466, Leone Battista Alberti 
(1404-1472), in his De cifris, made a big step forward. Apart from the ear¬ 
liest examples, all nomenclators were up to then order-preserving mappings 
of the lexicographically ordered plaintext elements onto lexicographically or¬ 
dered literal or mathematically ordered numeral codegroups. This allowed 
the user to get away with only one codebook which could be inspected for 
plaintext as well as for cryptotext in the order the entries were printed. 

This system, however, had a great disadvantage: as soon as the plaintext 
equivalent for one codegroup was known, all codegroups standing lower could 
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Fig. 37. Nomenclator, 1785, made by Jefferson for use by Madison and Monroe 


only have plaintext equivalents standing lower as well. With a few established 
codegroup-plaintext relations, a good deal of the fine-structure of the code 
can be obtained. 


Astonishingly, even during the First World War this outdated system of a one- 
part nomenclator, one-part code (French dictionnaire a table unique , German 
einteiliges Satzbuch) was still in practical use with the GREEN code of the 
US State Department, which had up to 20 3 -6 2 =288 000 codegroups of type 
CVCVC ( C stands for a consonant, V for a vowel): FYTIG, MIHAK, PEDEIC. 


A Signalbuch of the German Kaiserliche Marine that was captured from the 
cruiser Magdeburg in August 1914, was a one-part code, showing, for example, 


63940 OAT 

63941 OAU 

63942 OAU 

63943 OAV 

63944 OAW 


Ohnmacht, -ig 
Ohr, Ohren- 

Qkkupation, Okkupations, -ieren 

Okonomie, -isch 

Oktant 


Alberti introduced instead thoroughly mixed codes. This was emphatically 
advocated around 1630 by Antoine Rossignol (1600-1682). It means, how¬ 
ever, that for decryption a second, lexicographically or mathematically or¬ 
dered listing of the codegroups is needed, a two-part nomenclator, two-part 
code, hatted code (French dictionnaire a table double, dictionnaire a deux 
tables, German zweiteiliges Satzbuch). Jefferson’s nomenclator provides an 
example. A modern example with homophones from the military genre is 


flap XYMAS 

TIBAL 

flapjack UPTON 

flapper UPABS 

flare OHPAP 


RATPA ship 

RATPE quite 

RATPI enough 

RATPO happy 

RATPU loxodromic 


where for a frequent plaintext word like /army/ five homophones are available: 
TORMA, RAFEM, LABAR, ROMUF, IBEXO . 
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Some codebooks provided digit groups (numeral codes) as well as letter 
groups (literal codes). An example of a German Satzbuch from the year 1944 
could have read: 


a 

0809 

XCL 

b 

1479 

MLA 

Abend 

8435 

PUV 

Bad 

1918 

TID 

aber 

7463 

NAS 

bald 

1492 

LGD 

acht 

6397 

DXL 




Achtung 

1735 

APS 

z 

2467 

VBH 

an 

7958 

EVG 




auf 

6734 

UNO 





zyklotron 5116 JLD 


The Kurzsignalheft (short signal book) of the Kriegsmarine (since summer 
1941) was a caption code containing codegroups for stereotyped commands: 
AAAA Beabsichtige gemeldete Feindstreitkrafte anzugreifen 

AAEE Beabsichtige Durchfiihrung Unternehmung wie vorgesehen 

AAFF Beabsichtige Durchfiihrung Unternehmung mit vollem Einsatz 
AAGG Beabsichtige Durchfiihrung Unternehmung unter Vermeidung 

vollen Einsatzes 

The Wetterkurzschliissel (short weather cipher) of the Kriegsmarine coded 
air temperatures by a polyphonic single letter code (x was missing!): 

A = +28° B= +27° C= +26° D= +25° ... W= +6° Y= +5° z= +4° 
A = +3° B = +2° C = +1° D = 0° E = -1° F = -2° ... Z = -21° 

In a similar way, water temperature, atmospheric pressure, humidity, wind 
direction, wind velocity, visibility, degree of cloudiness, geographic latitude, 
and geographic longitude had to be coded in a prescribed order; a weather 
report consisted of a single short word. This seemed to be very economical 
and also made direction-finding reconnaissance difficult, but it was crypto- 
logically utterly stupid: the superencrypted weather reports the U-boats were 
ordered to broadcast regularly were for the enemy’s cryptanalysis of the su¬ 
perencipherment almost as good as plaintext. 

4.4.3 Modern codes. Around 1700, the nomenclators had 2000-3000 en¬ 
tries, and they kept growing, although the two-part books needed more space. 
Modern codes with homophones and polyphones are found in Figures 38, 39 . 
The Black Chambers were dissolved in Europe in the mid-19th century (1844 
in Britain, 1848 in Vienna and Paris); this ended the surreptitious, clandes¬ 
tine opening of diplomatic and other mail. The Age of Enlightenment had its 
victory. The industrial revolution brought about the telegraph and as a con¬ 
sequence commercial codebooks with the main use of condensing telegrams 
and thus lowering transmission time. 

In 1845, Francis O. J. Smith published a code— The Secret Corresponding 
Vocabulary. Adapted for Use to Morse’s Electro-Mechanic Telegraph —even 
before the Morse alphabet was introduced. Smith had 50 000 codegroups, and 
only 67 sentences. His codegroups were built up from digits (numeral code) 
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Shershel 

- 51648 c...Shershel 

- 07510 B ...Shetland Islands 

- 18855 b.... Shetland Mainland 

- 43026 c...Shetlands 

- 53038 ^...Shiant Islands 

- 04216 c... Shield— for 

- 35998 c...Shielday 

- 43144 b...S hielded 

- 35732 b....S hielded by 

- 10726 B....Shielded from 

- 53124 c...Shielding 

- 06656 B...Shields— for—of 

- 17848 b....S hields, North 

- 41802 ^....Shields, South 

- 28814 c...Shift-s 

_ Q7700 B...Spontaneous-ly 

- 07701 B...Sow-s-ing 

- 07703 B...Rodd 

- 07704 <7...Vacalc-s 

- 07705 b...To what 

- 07707 ^...What time— is—are 
a 07708 c... Hornet, H.M.S. 

h 07708 A ...Referring 
<■’ 07708 B ...Wednesday 

- 07709 -4...Send-s mails for 

- 07710 < 7 ... Worth 

~ 07712 b... Riddled by (with) 
a 07713 ^...Smokes— -from—of 
» 07713 B...Will be 
’ 07713 c..,13th April 

- 07714 a4...Tsu Sima 


A 10569 b'J 
b 53472 c V Ship is 
C 03917 A J 

-.35613 .4....Ship is not 

- 50968 Ship is not to 

- 06679 a. ... Ship is not to be 

- 18641 c....Ship is now— at 

- 42583 c.... Ship is to 

- 10247 a.... Ship is to be 

- 53180 c ....Ship must 

- 07006 A... .Ship must be 

a 51738 B ] 
b 41759 c V Ship of 
<7 10994 cj 


- 07750 A... Dummy group 

- 07751 ^...Recurrences— of 

- 07752 b... Report when she 

- 07754 .-i...Rush-es-ing 

- 07755 c... Purpose of 

- 07756 c... Withdrawn from 

- 07758 B... Sheep 

a 07759 c... 12th April 
B 07759 no-t 

c 07759 B...In convoy 

- 07760 c...She could 

- 07761 4...That every 

- 07763 ^...Sulen Isles 
a 07764 c... Begins 

b 07764 B...Spell word of 13 letters 
c 07764 ^...Acknowledge 


Fig. 38. SA Cipher of the British Admiralty (1918). 

One page of the homophonic encoding part and one page of the polyphonic decoding part 


fit » M ± ^ 


2Q4U3 
4084 1 
86660 

frtfv’S-tft, *•*? 

*F. *«», ire 

14806 

71731 

17487 

2F&P, p- 

37748 

34113 

51375 


0406? 

12954 

44135 


71631 

13885 

84141 

2FRt®» 

33232 

07044 

12682 


m 

GF p 

tt 

a 

57452 

41618 

14710 


74706;6F 
26430]6Ff 
70258! " 

23623 

07384 

840?8 

GFgSE 

74867 

31614 

42667 

3F 

3F p 

n 

16246 

08351 

74770 

6 Ft 
GFj 

75220 

0653? 

77614 

B 

if 

3Fg|*S 

3Fg-|S 

r c t : ; 

!!!!! 

1 

73085 

81754 

77515 

GFmaasKt 

GF(»*«®W 

33472 

17023 

20708 

3F4S-P, |> 

00544 

73773 

03782 

fiFf 

55433 

71675 

57247 

gf as*<sna 

GF (<3KF R) 
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63006 

31558 

60465 
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54678 

27424 

7F 

47520 

75332 
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Fig. 39. Sample from the encoding part of a Japanese Navy code (1943) 
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and were intended to allow (Sect. 9.2) superencryption. Later, a transition 
to codes with codegroups built from letters (literal code), mainly groups of 
five, took place; the number of sentences went into the hundreds, the number 
of code groups up to 100 000. Because of the great volume, one-part codes 
were used again, and this even in diplomatic services and in military staffs, 
although secrecy was vital there. However, this did give elaborate genuine 
ciphers more and more cryptological importance. 

Little by little, hundreds of commercial codes came into existence; among 
the earliest were one by Henry Rogers and one by John Wills (both in 1847). 
According to Friedman, in 1860, “a man named Buell published in Buffalo 
his Mercantile Cipher for Condensing Telegrams”. In 1874, eight years af¬ 
ter completion of the transatlantic cable, the widely used ABC Code by 
William Clausen-Thue, a five-letter code, appeared. Other five-letter codes 
were compiled by Bolton ( Dictionnaire pour la Correspondance anglais ), by 
Krohn in Berlin (1873), and by Walter in Winterthur (1877). A four-letter 
code ( Chiffrier-Worterbuch) was published by Katscher in Leipzig (1889) 
and a three-letter code ( Dictionnaire telegraphique, economique et secret) 
by Mamert-Gallian in Paris (1874). In the USA, famous codes are named 
after John Charles Hartfield (1877, continued since 1890 by his son John 
William Hartfield) and Henry Harvey (1878). The codebook by Benjamin 
Franklin Lieber, with 75 800 codegroups, was also translated into French and 
German. Even seven-letter codes found use, such as the Ingenieur-Code (in 
German) by Galland. The aim was mainly to reduce the cost of telegraphic 
transmission. This was particularly important for transatlantic traffic. 

In Europe, numeral codes were preferred which allowed a simple additive 
superencryption. An epoch-making prototype of a four-digit code was the 
Dictionnaire abreviatif chiffre by F.J. Sittler in Paris (1868), besides the 
Dictionnaire pour la Correspondance telegraphique secrete by Brunswick in 
Paris (1868) and the Dictionnaire chiffre by Nilac. Bazeries (1893) as well 
as de Viaris produced codes; other four-digit codes were the Dizionario per 
corrispondenze in cifra by Baravelli in Torino (1896), Chiffrier-Worterbuch 
by Friedmann in Berlin, and Chiffrierbuch by Steiner & Stern in Vienna 
(1892). 

4.4.4 Telegraph codes. The tariff policy of the International Telegraph 
Union (Sect. 2.5.2.2) led in 1890 to the widespread use of five-digit codes. 
Brachet in Paris published such a code in 1850 ( Dictionnaire chiffre), oth¬ 
ers are Diccionario para la correspondencia secreta by Vaz Subtil in Lisbon 
(1871), Worterbuch by Niethe in Berlin (1877), and Dictionnaire pour la 
Correspondance secrete by N. C. Louis in Paris (1881). Among the later ones 
were the Dictionnaire chiffre Diplomatique et Commercial by Airenti and 
the Telescand Code in France, Diccionario Cryptographico in Lisbon (1892), 
Nuovo Cifrario by Mengarini in Rome (1898), Cifrario per la corrispendenza 
segreta by Cicero in Rome (1899), Slater’s Code by Slater in London (1906), 
and Clave telegrafica by Darhan in Madrid (1912). 
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4.4.5 Commercial codes in the 20th century. Many code books offered 
numeral and literal codegroups as well. Until recently frequently used codes 
include Bentley’s Code (since 1922), ABC Code 6th edition (since 1925), 
Peterson’s Code 3rd edition by Ernest F. Peterson, Acme Code by William 
J. Mitchel, Rudolf Mosse Code (since 1922), Lombard Code , and AZ Code. 
The largest codebook ever in general use was compiled by Cyrus Tibbals for 
the Western Union Code ; it contained 379 300 entries, while the ABC Code 
had only 103 000 . 

In the Second World War, the Allies used the BAMS code (“Broadcasting 
for Allied Merchant Ships”), which was widely compromised, as a basis of 
superencryption. Plaintext would have been no worse. 

For long years, an Internationaler Hotel-Telegraphenschliissel fiir Zimmerbe- 
stellung was reproduced in German calendar notebooks, with codegroups 
ALBA for “ 1 Zimmer mit 1 Bet-t” , ARAB for U 1 Zimmer mit 2 Bet-ten”, 

ABEC for U 1 Zimmer mit 3 Bet-ten”, BELAB for “2 Zimmer mit- je 1 Bet-t”, 

BIRAC for “2 Zimmer mit 3 Bet-ten”, BANAD for “2 Zimmer mit- 4 Bet-ten”, 

CIROC for “3 Zimmer mit- je 1 Bet-t”, CARID for “3 Zimmer mit 4 Bet-ten”, 

CALDE for “3 Zimmer mit- 5 Bet-ten” and so on. 

Some codes have been translated into foreign languages. The Marconi Code 
(Fig. 40), by James C.H. Macbeth, is truly multilingual (nine languages in 
four volumes), making true a dream of Athanasius Kircher (1602-1680). 

4.4.6 Error-detecting and -correcting codes. In 1880, J. C. Hartfield 
introduced for checking purposes the ‘two-character differential’ of the code¬ 
groups (for a 27-character alphabet Z 2 7 , from 27 5 = 14 348 907 codegroups 
of a five-character code, there remain 27 4 = 531441 ones). Around 1925, 
W. J. Mitchel introduced also a check against transposition of adjacent char¬ 
acters (leading to reverses like in LABED and ALBED), which reduced the num¬ 
ber of usable codegroups, in the example to 440 051. Mitchel’s idea of the 
‘adjacent-letter restriction’ spread rapidly. Both the one-part code of the 
Japanese Navy, dubbed JN-25A by OP-20-G (1. 6.1939, broken Sept. 1940) 
and the two-part code JN-25B (1.12.1940, broken March 1942) used five¬ 
digit codegroups, divisible by 3. These codes were forerunners of the error¬ 
detecting and error-correcting codes introduced by Richard W. Hamming in 
1950; today this checking principle is everywhere present in the bar codes of 
the European Article Number (weights alternatingly 1 and 3, divisible by 10) 
or in the ISBN system (weights 10, 9, 8 , ..., 2,1 in this order, divisible by 11). 

4.4.7 Shortlived codes. In contrast to commercial codebooks, which are 
(for not too low a price) generally accessible and therefore should have a life¬ 
time as long as possible, diplomatic and military codes should be subjected to 
“planned obsolescence” (Sect. 2.1.1), and correspondingly should be changed 
as often as possible. It therefore seems hopeless to list the ones used in this 
century, although often parsimony and laziness have prevented sufficiently 
frequent change. US-American diplomatic codes, which were far too long in 
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M. N. O. P. a S. T. U. Y. Z. 
0 123406789 


10140 

UVVIM 

elockncee. 

rellrbsncDt. 

Oojedsd, desceido. 

10141 

UVVOJf 

SUj(.). 

Scorir(c). 

Esceris(a). 

10145 

UVWEO 

Slander(i). 

Diftsmefr), diftsmstioa. 

Odumnie(r), rslunnii(s). 

10143 

WWW 

slandered. 

diffsal. 

calunniedo. 

10144 

WWYH 

blundering. 

diiTswent. 

csIuujd'uimIo. 

16143 

UVYI1S 

slanderous. 

ilifltmtloin. 

cslameioso. 

10140 

WYCT 

Slate(s). 

Ardoise(s). 

Puerref*). 

1014? 

UVYDU 

Sleeper (t). 

Traversc(s) {ebrmin* dr ter). 

Travie*e{*) ( «lurmirntr(*) (f.e.). 

10143 

UVYFY 

SIrcvc-ralre. 

Soupspc A menchon. 

Viiruls de manguito. 

19149 

UVYMZ 

SUde(t). 

Glil*«<rJ, glie*i4rr(»). 
tkuir ds distriUilinn. 

RctbeJe(r), n.rntJrr»(i). 
vilreU de dietriberide, de conrders. 

10130 

UVYUM 

elide-valve. 

glwvent. k runtime. 

rrabeletido, nr*lwUmieBto, Utilize* 

19161 

UYYVM 

eliding. 

uicnte. 

10151 

IIVYWO 

eliding eeale. 

4cbcQe mobile. 

««l» m6*U. 

19163 

UVYZP 

Slight. 

L^fer, )j*«i important. 

Ligero, love. 

10164 

WZUR 

•lightest. 

It (U) Mtaiiudrr. 

• Ui uuU li/eru, 1eV«*. 

10155 

UVZYS 

not tho slightest. 

|M> (U) i»>iiuln-. 

tMt bhU Hern*. mlnumi. 


10140 

UVVIM 

•Uekneee. 

10141 

UVVOJf 

SUg(e). 

10145 

UVWEO 

SUnder(s). 

19143 

UVWUP 

slandered. 

19144 

WWYH 

blundering. 

19145 

uvyiis 

slanderous. 

19140 

WYCT 

Sletc(s). 

19147 

UVYDU 

Sleepcr(a). 

19143 

UVYFY 

SWvc-ralre. 

19149 

UVYMZ 

SUde(s). 

10150 

UVYUM 

slide-vulva. 

19161 ! 

UYYVN 

eliding. 

10151 1 

UVYWO 

sliding scale. 

19153 ; 

UVYZP 

Slight. 

10164 

UVZUR 

slightest. 

1P156 

UVZYS 

not tho slightest. 


M. X. 0. T. a S. T. V. Y. Z. 
0121486719 
SchlafThcit, Ccedi&ftestillo. 

SchJscke(n). 

Verlcuii»deii(-e,-l) f Vcrloumdung(on). 
vorlowndct. 
vorlcuirulend. 
vwlou mdon »ch. 

Schiefrr, Schi«rcrte(Vl(n). 
(Balm-)Schw’eUe(n). 

MuffenvenliL 

Clcilen(*e. -et), G loll balm (on), C!»it- 
fuhrungtcu). 

Suhk'burvtinlil, Vonlilecliiobcr. 
gtoitoud. 

Cloiuk/do. 

Cerlng, von goringor Wichligkoit. 
goringat. 

nicht du (ilor, die) goring* to. 


slaplicid, stilto. 

Sehuiin, sluk(ken). mctiuil*chuim(-»l*kkcn). 
Belasterrn, bcluetorfl), lector, 
belatuifd, 
boles to rood. 

laaterlijk. 

Lei(en). 

Dwanliy;tr(i). 

Mofklcp. 

CUjden(-t); schuif (schuiven), iribuim 
(loihanon), vrindklop(pon). 
schuif, ttouinHcluiif, •chuifklop. 
vcrachuifbear, glijJcnd. 
ludibvnuoat, proportionoclo school. 

Cering, onboduidund. 
goringste. 

niot do (hot) coring*to. 


Fig. 40. The Marconi Code: Corresponding pages from the English-French-Spanish 
and the English-German-Dutch edition 

use, are RED and BLUE (before 1914), both five-digit codes, and GREEN 
(from about 1914 until about 1919), likewise with five digits. Around 1920 
GRAY, mentioned in Sect. 4.4.1, arrived, and was still in use under Franklin 
Delano Roosevelt in 1941. Roosevelt sent Dec. 6, 1941, a note to Cordell 
Hull: “Dear Cordell—Shoot this to Grew [the ambassador in Tokio] -I think 
can go in gray code—saves time—I don't mind if it gets picked up — FDR”. 
Under the security-conscious Roosevelt, in the mid-1980s, the two-part code 
BROWN was introduced; after 1939 the distrustful statesman nevertheless 
preferred encryption systems from the Navy Department “for matters of ut¬ 
most secrecy,” as he put it. The further diplomatic codes A-l, B-l, C-l, D-l 
did not change Roosevelt’s harsh opinion about the security risk of the State 
Department codes. The BLACK code appeared about 1940. 

Sometimes the code producers ran into surprises: When the American Ex¬ 
peditionary Force (AEF) in 1917 got involved in France in the First World 
War, it turned out that the War Department Telegraph Code , issued 1915, 
was both unsafe and inadequate for tactical use. In great haste, the Code 
Compilation Subsection of MI-8 in July 1917 started work on a suitable code; 
it was ready after one year, on July 1, 1918. The Military Intelligence Code 
No. 5 was a one-part code, though with two-character difference of the code- 
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groups of type VCVCV, VCCVC or CVCCV. Although rather soon a better, 
two-part code ( Military Intelligence Code No. 9) was available, No. 5 stayed 
valid until September 1, 1934, with the classification “SECRET” , then under 
the short name SIGCOT it was demoted to “CONFIDENTIAL” . Likewise, 
No. 9 , which was taken out of use around 1923, was reactivated April 1, 1933, 
demoted to “CONFIDENTIAL”, with the short name SIGSYG for the en¬ 
cryption and SIGPIK for the decryption part. Lack of money was responsible 
for this, but not even a superencipherment was prescribed, which would have 
needed no investment. 

4.4.8 Trench codes. On the lower military level, the combat level, codes 
had sometimes a better, sometimes a worse reputation. The Kaiserliche Heer 
changed in 1917 from the hitherto used turning grilles (Sect. 6.1.4) to codes. 
For radio traffic in the 3-km combat zone, in March 1917 a simple digraphic 
substitution, a Befehlstafel was introduced. Already in 1916 the French issued 
a three-letter code, the carnet reduit , with names like olive and urbain. The 
codegroups were ordered with headings like infantry, artillery, numbers, clock 
times, common words, place names, cover names etc., so it was a caption code. 

In March 1918, the Kaiserliche Heer made the transition step—foreseen by 
the Allies—to a superencrypted, but still one-part code, a three-digit code. 
The superencryption was extended to the first two digits only and was done 
with the Geheimklappe (Sect. 4.1.2), which was changed frequently. The fixed 
third digit allowed the occurrence of patterns and thus helped cryptanalysis. 

For higher cryptanalytic security requirements, outside the 3-km combat 
zone, the Germans introduced in June 1917 a two-part three-letter code 
(Satzbuch ). No superencryption was intended; the cryptanalytic security 
of this cryptosystem was from the beginning based on planned obsolescence 
(something like 14 days). The code contained a great number of homophones 
(KXL, ROQ, UDZ for Anschlufi fehlt ) and nulls. It was called KR.U code by the 
Allies, because all codegroups started with one of the letters K, R, U; or also 
Fritz code. Later, codegroups beginning with S were added and furthermore 
some beginning with A (KR.USA code); finally the 26 letters of the alphabet 
were supplemented by the mutated vowels A, 6, U (this code was—not very 
systematically—called KR.USA code). 

The armistice in November 1918 ended this unpeaceful epoch of the ‘trench 
codes’. But trench codes were not forgotten. In a manual of the US War 
Department (1944) can be found: “Cipher machines cannot, as a rule, be 
carried forward of the larger headquarters, such as Division. Hence, code 
methods may predominate in the lower echelons and troop formations.” 

This can be interpreted as the view that—in military radio traffic—‘naked’ 
codes without superencryption can only be tolerated at the lowest level of se¬ 
curity. For this reason, Friedman introduced polyalphabetic enciphering with 
a handy device, the M-94, as a field cipher in the US Army. During the Second 
World War, even this was no longer considered sufficient in the USA. Boris 
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Fig. 41. 

Hagelin M-209 
in combat situation 

Hagelin—who had travelled in May 1940 at the last minute from Sweden 
across Germany to Genoa and then boarded the Conte di Savoia to the United 
States, with two of his C-36 (Sect. 8.5.2) in his luggage—impressed Friedman 
and the US Signal Corps with his improved version C-38. Hagelin had to 
wait for a full year while his machine was thoroughly tested. In June 1941, 
the decision was made for a mechanical machine at the low-echelon level. 
Figure 41 shows a soldier, rifle slung on back, enciphering with a Hagelin 
M-209 cipher machine at the message center of the command post of the 
3rd Division, US Infantry in Hyopchong, Korea, on October 1, 1951. 

Indeed, Boris Hagelin had quite early considered 
the use of mechanical cipher machines in the front 
line. For the Hagelin C-35, the base-plate was 
formed in such a way that the machine, when used 
at the front line, could be strapped onto the knee 
of the operator. As Hagelin writes, the operator 
could walk, if necessary, with the machine fixed to 
his knee—whether he liked it, is left open. For the 
French constabulary, Hagelin even designed in the Spruchtamgerat STG-61 
1950s a pocket cipher machine of roughly the same power (CD-55, CD-57). 
In connection with punch tape keys it found use in the German Army ( Spruch- 
tarngerat STG-61). 

In the meantime, the struggle between codebooks and cipher machines has 
become obsolete—microelectronics collapses the differences and opens com¬ 
pletely new avenues. 
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Although Hill’s cipher system itself 
saw almost no practical use, it had 
a great impact upon cryptology. 

David Kahn 1967 

A linear (geometrically ‘affine’) substitution is a special polygraphic substi¬ 
tution. The injective encryption step of a poly graphic block encryption 
X : V n —->■ W m 

with relatively large n and m is restricted in a particular way: 

The finite character sets V and W are now interpreted essentially as being 
linearly ordered, with a first character a(V) and a last character u>(V ). The 
ordered character set is called a standard alphabet in the proper sense. 

In this order there is for each character x except the last character exactly one 
next character succ(x); for the last character the next character is defined as 
the first one, succ(cd(V)) = a(V ). Thus, the mapping succ defines uniquely 
an inverse mapping pred; the cyclically closed standard alphabet is a finite 
non-branching (i.e., linear) cyclic quasiordering. 

In V = Zfyj and W = Z\ w \ an addition can be defined recursively: 

For a, b GV or a, b G W it holds that 
a + a(V) = a ; 
a + b = succ(a) + pred(6) . 

This means that the sets Z\y\ and Z\ w \ are mapped uniquely and order- 
preservingly on Z|y| and Z^,. , where Z N denotes the group of residue classes 
modulo the natural number N of the group of integers Z , the elements of 
which are represented by the cycle of natural numbers (0,1,... N— 1). Ad¬ 
dition in V and W corresponds to addition of the residue classes. Commonly, 
the alphabet {a, ... , u)} is identified with the cycle numbers (‘cyclotomic 
numbers’) {0 , ... , N — 1}, where _/V=|F| or7V=|lT|. 1 
Addition in V or W is now carried over to V n and W m componentwise. 
Moreover we identify V = W = Z N , V n = Z n N , W m = Z™ . 

1 For Z 26 <-> Z 26 , the identification is as follows (‘algebraic alphabet’): 

abcde fghi j klmnopqrs t uvwxyz 
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 
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With these definitions, a mapping ip : Z^r->- is said to be additive if 

and only if 

V x, y G Z^ : p(x + y) = <p(x) + <p{y) , 
in words: “The image of the sum is the sum of the images.” Consequently 
J. n N : ip(x + x + ... + x) = i p(x) + <p{x) + ■ ■ ■ + <p(x) , 
in words: “The image of a multiple is the multiple of the images.” 

Indeed, Z w is a ring and Z^ a vector space with the origin o = (0 0... 0); 
p is a linear mapping of the vector space Z^ in the vector space Z^ . 
If N = p is prime, and only then, Z^ is even a field, the Galois field F(p). 
However, in the sequel we shall not require the primality of N . 
Notationally, we use a square matrix T over Z. N for the representation of 
<p : p(x) = xT with the inverse p^ 1 (y) = yT~ x . 

A linear substitution % : Z^ —> Z^ is defined as the sum of a 
homogeneous part, a linear mapping ip represented by a matrix T £ Z^ m 
and a translation of the origins, represented by a vector t G Z^ : 

X{x) = xT + t . 

If T is the identity, there is the special case x( x ) = x + t of a translation 
(polygraphic CAESAR addition by a ‘CAESAR shift’). 

If a linear mapping ip is injective, then it is regular, i.e., it has a unique inverse 
on its image. If in the sequel we assume the endomorphic case with equal 
width m = n , then a regular linear mapping is a one-to-one mapping. 


Example: 

Given over Z 26 a square matrix T and a vector t , 

/15 2 7 \ 

T = 8 10 23 t = (17 4 20) 

\ 0 2 8 / 

The 3x3 matrix T and the 3-component vector t define a tripartite tri¬ 
graphic substitution. The encryption of the trigram /mai/ = (12 0 8) is 

26 

(24 14 18) + (17 4 20) ~ (15 18 12) = /psm/. 

since the T-image of (12 0 8), obtained by calculation modulo 26 is 


l 1 5 

(12 0 8 ) 8 

\o 

But the trigram /ecg/ = (4 2 

( l 5 

( 4 2 6) 8 

\o 


2 

10 

2 

6 ) 

2 

10 

2 



~ (24 14 18) . 


has the same T-image, 



~ (24 14 18) . 


Encryption by the given matrix T is therefore not injective, in fact T is not 
regular and does not have an inverse. The vector (8 24 2) annihilates T. 
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5.1 Self-reciprocal Linear Substitutions 

The question is obvious : When is an endomorphic linear substitution \ self- 
reciprocal? The condition is that x( x ) = X T + t = X _1 ( a: ) > thus 

x = x{x{ x )) = { X T + t)T + t = xT 2 + tT + t , from which 

T 2 = I and tT + t = o 

follows. This is to say that the matrix T of the homogenous part is self¬ 
reciprocal, whence only 1 or N — 1 can be eigenvalues of T , and the trans¬ 
lation vector t either is zero or eigenvector of T for the eigenvalue iV—1. 
In particular, \ can be a reflection with a reflecting plane having as its 
normal the vector v : 

X(x ) = x + (1 — 7 ( 2 :)) v with v o 
where the linear functional 7 fulfils the condition 7 (f) = 2 (in the case 

N = 2 the condition 7 ( 11 ) = °) • Then x( v ) — 0 1 an d x(°) — v . A simple 

calculation confirms X 2 ( x ) = x: 

X(X( X )) = X( x ) + [1 - 7(x0))] v 

= x + (1 — x{x))v + [1 — 7 (x) — (1 — 7 (aj)) 7 (u)] v 
= x + (1 — x(x))v + [ (1 — 7 ( 2 ;)) — 2(1 — 7 ( 2 ;)) ] v = x . 

Example: -> Z 2 2 (N = 2 , n = 2) 

X(( x i x 2 )) = (27 x 2 ) + (I-X1-X2) (1 1 ) = (1 - x 2 1 - 27) = 

(251 * 2 ) ^ ^ Q 1 ) + (! 1) • 

X((0 0)) = (11) (o 1 ) (1 i) 

x((o 1 )) = ( 01 ) \ 

x((i 0 )) = ( 10 ) 

x((H)) = (0 0) (oo) (T o) 

The plaintext 001001110110110001 yields the cryptotext 
111001000110001101 and vice versa. 


5.2 Homogeneous Linear Substitutions 


5.2.1 Hill. The special case of homogeneous linear substitution, t = o, 
was studied by Hill as a cryptographic instrument (HILL encryption step). 
How do we obtain T together with its inverse T -1 ? Over Z, start with a 
(square) matrix of determinant +1 and its inverse, e.g., with n = 4: 
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For numerical work it is recommended to use small negative numbers as 
representatives of the residue classes, thus over Z 26 besides 


/23 

20 

5 

1 \ 



-6 

5 

1 \ 

2 

11 

18 

1 1 

also T~ l ~ 

2 

11 

-8 

1 

2 

20 

6 

25 


2 

-6 

6 

- 1 

V 25 

2 

22 

25/ 


\-l 

2 

-4 

- 1 / 


T- 1 22 


Example: The image of the tetragram /ende/ = (4 13 3 4 ) 

is calculated modulo 26 to yield /jhbl/ = (9 7 1 11) : 


(4 13 3 


(9 7 1 


/ 8 

6 

f 6 

9 

5 

8 

V 10 

6 

/~ 3 

—6 

2 

11 

2 

—6 

V-l 

2 



~ (9 71 11 ) , 

~ (4 13 3 4 ) . 


5.2.2 Inhomogenous case. With t = (3 8 5 20) and T as above an 
inhomogeneous linear substitution \ is obtained 


X(( x l x 2 x 3 £ 4 )) = (X\ X 2 X 3 £ 4 ) 
with the inverse substitution 

X _1 ((2/i 2/2 2/3 2/4)) = ( 2/1 2/2 2/3 2 / 4 ) 


f 8 

6 

9 

6 

9 

5 

5 

8 

4 

\10 

6 

11 

/23 

20 

5 

2 

11 

18 

2 

20 

6 

\25 

2 

22 



+ (3 8 5 20) 



+ (3 24 21 14) . 


5.2.3 Enumeration. The number of regular nxn matrices over Z w 
depends on the primality of N . A well-known result is (L. E. Dickson, Linear 
groups. Leipzig 1901): 

Theorem. Let N = p , p prime. The number g(p, n) of regular matrices 
from Z”’" is equal to the number of bases of the vector space Z^’" , i.e., 

g(p, n) = (p n - 1) (p n - p) {p n - p 2 ) .. (p n - p 71 - 1 ) . 

2 

The number of different matrices altogether is p n . Thus 

2 

g(p 7 n) = p n ■ p(p, n ) , where 

n 

P(P, n) = Yl(l-i-) k ) . 

fc=1 p 

For the binary case N= 2: g{ 2,1) = 1, g{ 2, 2) = 2 1 • 3, g{ 2, 3) = 2 3 • 3 • 7, 

g(2,4) = 2 6 -3-7-15, 5 ( 2 ,5) = 2 10 -3-7-15-31, c/(2,6) = 2 15 -3-7-15-31-63 . 
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For p(p, n ), a limit as n goes to infinity can be given (Euler 1760): 

lim p(p , n) = h (-) , where 

n—»■ oo p 

oo 

h(x) = 1 + ^ (-l) fc [a ; (3fc2 - fe)/2 + £C ( 3fc2 + fc )/ 2 ] 

= 1 - a: - x 2 + x 5 + a: 7 - a: 12 - x 15 + x 22 + x 26 ... . 

h(x) is a ‘lacunary’ series, connected with theta series and elliptic func¬ 
tions. For details see R. Remmert, Funktionentheorie I, Springer, Berlin 1984, 
p.263. h(^) provides for larger n a rather good estimate for p{p,n ); some 
values for primes p are 


TV = p 

Mp) 

In Mp) 

2 

0.28879 

-1.24206 

3 

0.56013 

-0.57959 

5 

0.76033 

-0.27400 

7 

0.83680 

-0.17817 

11 

0.90083 

-0.10444 

13 

0.91716 

-0.08647 

17 

0.93772 

-0.06430 

19 

0.94460 

-0.05699 


For p > 10 , 1 — ^ gives already five correct figures for h(^) ; 

— l/(p — |) approximates In h(^) with a relative error less than J 2 . 

For powers of a prime, the situation is more complex. 

Theorem (Manfred Broy 1981) 

Let N=p s and A g J. n N n . Then there exist A, g , 0 < i < s 

such that A can be uniquely represented in the form A = X^i=o P l ■ 
A is regular if and only if A 0 is regular. 

From this theorem, 

g(p s , n ) = g(p, n ) • {p s ~ l ) n = ( p a ) n • p{p, n) = N™ 2 ■ p(p, n) . 

Finally, for the general case N = p J 1 • p*£ ... p s k k , the number of regular 
matrices is 

g(N, n ) = TV ” 2 • p(pi , n) • p(p 2 ,n) ■ ... p{p k , n). 

N n is a small number compared with the number (N n )\ of all n-partite 
n-graphic substitutions: for N = 25 , n = 4 we have (TV")! ss io 2184284 ) 
compared to TV " 2 = 2.33 • 10 22 and g(N, n) = 1.77 • 10 22 . This comes close 
to the number 6.20 • 10 23 of simple cyclic permutations for TV = 25 . 

For N = 25: g( 25,1) = 20, g(25, 2) = 300 000, 5 (25,3) = 2 906 250 000 000 ; 
for N = 26: g(26, 1) = 12, g(26, 2) = 157248, g(26, 3) = 1634038 189 056 . 
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5.2.4 Construction of reciprocal pairs of matrices. The construction 
of a regular square matrix is most simply done as a product of a lower and 
an upper triangular regular matrix. This means that the diagonal elements 
should be invertible (Sect. 5.5, Table 1); most simply Is are chosen. Moreover, 
the transpose of the lower triangular matrix can be chosen for the upper 
triangular matrix, which produces a symmetric matrix. Inversion of the 
triangular matrices with the elimination method leads to the inverse matrix. 

Choosing Is in the diagonal, it is also possible, although not always preferable, 


to do all the computations first in Z 
classes. 


Example: 



For Z 26 , Z 25 respectively, 

13 5 \ /II 21 1 \ 

3 10 17 , 21 5 24 

5 17 4/ \ 1 24 1/ 


and then to pass over to the residue 


3 5 \ 

10 17 J ; 
17 30 / 



/I 3 5 \ /II 20 1 \ 

3 10 17 , 20 5 23 

\5 17 5 / \ 1 23 1 / 


are pairs of (symmetric) mutually inverse matrices; for Z 10 , Z 2 , 

/l 3 5 \ /I 5 1 \ /1 1 1 \ /I 1 1\ 

3 0 7,5 5 8 and 101,110. 

\5 7 0/ \1 8 1/ \1 1 0/ \1 0 1/ 

If for given n and N the lower triangular matrix L and the upper 
triangular matrix U (with Is in the diagonal) are chosen arbitrarily and 
for D an arbitrary diagonal matrix with invertible elements is taken, one 
obtains up to reordering of rows and columns all pairs of mutually reciprocal 
matrices LDU and . 


5.2.5 The construction of a self-reciprocal matrix is scarcely more difficult: 
If, for given n and N , (X , X -1 ) is a pair of mutually reciprocal matrices 
and J is a self-reciprocal diagonal matrix, with elements +1 or —1 (more 
generally, self-reciprocal in Z^), then X J X~ x is self-reciprocal. 
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Example: 

/1 3 5 \ /1 \ / 11 -5 l\ / 31 -30 12\ 

3 10 17 -1 - 5 5 -2 = 100 -99 40 . 

\5 17 30/ \ 1 / \ 1 —2 1/ y 170 -170 69/ 

For Z 26 , Z 25 , Z 10 , Z 2 the following self-reciprocal matrices are obtained: 

/ 5 22 12 \ / 6 20 12 \ /l02\ /l00\ 

22 5 14 , 0 1 15 , 0 1 0 , 0 1 0 . 

y 14 12 17/ V 20 5 19 / y0 0 9/ \0 0 1/ 

Over Z 2 the identity is the only self-reciprocal diagonal matrix. 

No simple expression is known for the number of self-reciprocal nxn matrices 
over Z^y. 

5.3 Binary Linear Substitutions 

For Z 2 , i.e., for binary words (of length no) of plaintext and cryptotext, the 
technical execution of linear substitutions is particularly simple. The arith¬ 
metic modulo 2 can be translated into Boolean algebra and implemented in 
parallel with binary circuits of a width no, for not too big no , say up to 64 . 

Comparing the case Z 2 ° x "° (n = no, IV = 2 s ) with the case Z 2 ”° xs ”° 
(n = s-no, N = 2) which is obtained by decomposing the 2 s characters of 
Z 2 ° xn ° in binary words of length s, gives the following conclusion: the 
number of all regular linear substitutions is 2 s ' n ° ■ p(2,no) = K ■ p(2,n 0 ) for 
the case Z 2s oXn °, 2 s2 ' n °-p{2, s ■ no) = I\ s ■ p( 2, s ■ no) for the case Z 2 n ° xs n °. 
We may say: The structure of Z 2 is finer than the structure of Z 2 „ . 


5.4 General Linear Substitutions 

Including the N n translations, there are roughly N n2 + n linear substitutions 
altogether. Self-reciprocal homogenous linear substitutions (with N = 26) 
were proposed in 1929 by Lester S. Hill 2 (a precursor was F. J. Buck in 1772; 
L. J. d’Auriol used in 1867 a bipartite digraphic cipher V 2 —> V 2 which 
possibly is a special linear substitution). Hill’s ideas were taken up in 1941 
by A. A. Albert in a wave of both patriotic and mathematical enthusiasm, 
in particular at a meeting of the American Mathematical Society. By then, 
Hill’s ideas had already had their impact on W. F. Friedman in the USA 


2 Lester S. Hill was assistant professor of mathematics at Hunter College in New York. 
He received his Ph.D. in 1926 at Yale, aged 35, having been a college teacher for a 
while. The paper was published in The American Mathematical Monthly under the 
title Cryptography in an Algebraic Alphabet (Vol. 36, p.306—312, June-July 1929), 
with a follow-up Concerning certain linear transformation apparatus of cryptography 
(Vol. 37, p.135-154, March 1931). Hill received US patent 1845 947 on his apparatus, 
Feb. 16, 1932. He was until 1960 professor at Hunter College and died January 9, 1961. 
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and on Werner Kunze in the German Auswdrtiges Amt. 3 The importance 
of Hill’s invention stems from the fact that since then the value of mathe¬ 
matical methods in cryptology has been unchallenged. Consequently in the 
early 1930s mathematicians entered the cipher bureaus: besides Kunze in the 
US Solomon Kullback (1907-1994), Abraham Sinkov (1907-1998), Frank B. 
Rowlett (1908-1998), in the Netherlands the statistician Maurits de Vries, 
and quite a few more whose names remained so far unpublished. 

Lester S. Hill designed a machine for linear substitutions (n = 6), US Patent 
1 845 947 . Such a purely mechanical device with geared wheels was rather 
slow, therefore in the Second World War Hill’s machines were only used 
for superencrypting three-letter code groups of radio call signs—which was, 
compared to hand computation, quite a saving. 

5.5 Decomposed Linear Substitutions 

As a further special case, linear substitution contains a certain poly alphabetic 
enciphering. This occurs if T decomposes in a direct sum, 

T = Ti ® T 2 ® • • • ® T r , i.e., its matrix has blockdiagonal form, 

Ti 0 ... 0 

0 T 2 ... 0 

: : ’ ’ • 0 
0 0 0 T r 

where Ti is n,; x rq . In this case, each Ti , together with the corresponding 
part t-i of t = ti ® t 2 ® • • • ® t r , still is a poly graphic substitution, an 
enciphering of n,;-grams. Provided these r substitutions are pairwise differ¬ 
ent, the encryption step is an r-fold polyalphabetic linear polygraphic step. 
In other words, a whole period of a periodic polyalphabetic encryption is 
comprised in the single matrix. More about this in Sect. 7.4.1 . 

An important extreme case has n, = 1, r = n. Then T is a diagonal matrix 
and to every line there corresponds a simple linear substitution, a very special 
unipartite monographic substitution T,; : V 1 —> V 1 . 

Let us study this substitution—a permutation—more closely: It reads 
X(x) = h-x+t and is certainly regular for h = 1, yielding x{x) = x+t. Thus, 
a simple linear substitution with h = 1 is a monographic CAESAR addition 
X(x) = x + t with the inverse % -1 (:r) = x — t (for t / 0 a proper one). 

3 Dr. Werner Kunze, b. about 1890, studied mathematics, physics and philosophy in Hei¬ 
delberg, was with the cavalry in the First World War, and in January 1918 started work 
on cryptology in the Auswdrtiges Amt. In 1923, he solved a superencrypted French 
diplomatic code, in 1936 ORANGE and later RED, two Japanese rotor-cipher machines. 
Kunze was presumably the first professional mathematician to serve in a modern crypt- 
analytic bureau. Kunze was, like Mauborgne, a passable violin player and Oliver Stra- 
chey was known to be a good musician, while Painvin was an excellent cellist. Lambros 
D. Callimahos, at NSA, was a famous flutist. 
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N= 2 

1 



'O 

II 

(M 

3 

N= 3 

1 2 



M3 = C2 

N= 4 

1 3 



M 4 = C2 

N= 5 

1 3 

4 


M 5 = C4 

N= 6 

1 5 



m 5 = c 2 

II 

i 2 

3 

5 

6 

m 7 = c 6 

N= 8 

1 3 

5 

7 

■Ms = C2 x C2 

N =9 


4 

7 

8 

Mg = Cq 

N= 10 

' ? 

9 


M10 = C4 

V=ll 

' 0 

3 

4 

5 7 10 

9 8 u 

Mu = C 10 

JV=12 

1 5 

7 

11 

M12 = C2 X C2 

JV=13 


3 

9 

4 5 6 

10 8 11 

Mi3 = C12 

JV=14 

1 5 

9 

11 

13 

■M14 = Cq 

JV=15 

' i 

4 

13 11 14 

Mis = C4 x C2 

iV=16 

! 3 

1 11 

5 

13 

7 9 15 

Mig = C4X C2 

N= 17 

1 2 

9 

3 

6 

4 5 8 10 11 

13 7 15 12 14 ° 

Mir = Ci6 


Table la. Reciprocal pairs in Z N for N from 2 to 17 
(Bold-faced figures: Generating elements of the multiplicative group Adjsr) 
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N =18 


.Mis — Cfi 


iV=19 


2 3 4 6 7 8 
10 13 5 16 11 12 


A419 — Ci 


N =20 


® 9 11 ^ 19 


M 20 = C 4 x C 2 


iV=21 


2 4 5 
11 16 17 


A42i = Cqx C 2 


N=22 


3 5 7 13 
15 9 19 17 


M 22 — Ci 


N =23 


2 3 4 5 7 9 
12 8 6 14 10 18 


11 13 15 17 
21 16 20 19 


A 4?3 = C 2 


N =24 1 5 7 11 13 17 19 


A424 — C 2 X C 2 X C 2 


N=25 


4 6 7 8 
19 21 18 22 


8 9 11 12 


14 16 23 


A425 = C 2 


N =26 


7 11 17 
15 19 23 


A426 = Ci 


N =27 


5 8 10 13 
11 17 19 25 


M27 — Ci 


N =28 


A428 — CqX C 2 


N =29 


4 5 7 8 
22 6 25 11 


8 9 12 14 16 18 19 23 


13 17 27 20 21 26 24 


28 A429 = C 28 


N =30 


19 29 


M. 30 — C 4 X C 2 


AT=31 


4 5 6 7 10 11 12 14 15 18 22 23 
8 25 26 9 28 17 13 20 29 19 24 27 


30 AI 31 = C 3 


N =32 


M 32 = C$x C 2 


N =33 


5 7 8 in 13 14 16 
20 19 29 U 28 26 31 


23 32 


-M33 = C10 x C2 


Table lb. Reciprocal pairs in Z N for N from 18 to 33 
(Bold-faced figures: Generating elements of the multiplicative group A4]\[) 
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For x( x ) = x + i we write from now on also x( x ) = P l ( x ) > where 
p(x) = x + 1 . 

Quite generally: 

A simple linear substitution x{ x ) = h • x + t=p t (h ■ x) is regular, 

X 1 {x) = h~ 1 ■ (x-t) = h~ 1 - p~ t {x) if and only if h is relatively prime to N. 
Table 1 gives for some values of N reciprocal pairs of h and h~ 1 , including 
certain self-reciprocal h yielding self-reciprocal permutations. 

5.6 Decimated Alphabets 

The homogeneous case t = 0 has the trivial cases 
h = /i -1 = 1 (unchanged alphabet) and 

h = /i” 1 = N — 1 (complementary alphabet) 

and otherwise the decimated alphabets (French alphabets chevauchants , Ger¬ 
man dezimierte Alphabete), studied by Eyraud: alphabets whose represen- 
tants are the ft-folds of the integers modulo N —provided h and N are 
relatively prime. Thus, the alphabets are obtained by going in steps of h 
(‘symbolic multiplication’, ‘decimation by h'). 

Examples for N = 8 : 

* = 1 : (“ ‘ c d e / It) = <»> W (<=) M (') (/) (5) < k > 

h = 3: (“ b d l t l i l )) = («) (M) (c») (e) (A) 

* = 5 : (« / o t l l l i) = W (V) (0 (A) (e) (P) 

A = 7 : (a ft « / e d c b) = (o) (W,) (cs) (<i/) (e) ' 

There is a distinction between the complementary alphabet with 

N N 

X(x) = (N — 1) • x ~ N — x ~ —a: 

and the reversed alphabet, originating from the inhomogeneous case with 

X(x) = (N — 1) • (x + 1) £ (N — 1) — x ~ —x — 1 . 

The number g(N, 1) of regular homogeneous simple linear substitutions 
coincides with the Euler totient function p(N ), the number of numbers 
from 1,2, ..., N — 1 relatively prime to N. 

For N = pi 1 ■ p s 2 2 ■ ... ■ p s k k , 

<p(N) = (jpi - 1) • p Sl_1 • (p 2 - 1) • _P S2_1 • ■ • ■ • (pk - 1) ’ P Sk ~ X 
= AT-(1 - A) . (i _ A) . ... • (1 —M 

V P 1 y V P2 7 V Ps ' 
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5.7 Linear Substitutions 

with Decimal and Binary Numbers 

Note the following difference: belongs to V n , while Z Nn belongs to V ; 

one obtains Z^n if V n is ordered lexicographically. 

5.7.1 Case AT =10 (Z 10 „). The decimated alphabets (Sect. 5.6) are par¬ 
ticularly interesting for amateurs encrypting n-digit decimal numbers with a 
pocket calculator, since they allow use of multiplication besides addition. 
Even with a mechanical adder it is easy to calculate in Z 10 „ . (For the 
transition to calculation in Z 10 , it is only necessary to dismantle the carry 
device, see Sect. 8.3.3). 

Example n = 2 (Z 100 ): It suffices to know the reciprocals modulo 100 of the 
primes up to 97 (excluding the divisors 2 and 5 of 100): 
h = 3 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 
h - 1 = 67 43 91 77 53 79 87 69 71 73 61 7 83 17 39 41 3 31 37 19 47 9 33 
Note that the last figure of the reciprocal is determined by the reciprocal 
modulo 10 of the last figure, see Table 1, N = 10. 

This observation suggests for larger values of n a stepwise procedure: In every 
step, just one new figure is suitably chosen. 

Example n = 5 (Z 10 s): The reciprocal modulo 10 5 of the number h = 32 413 
is h _1 = 3 477 according to the following algorithm: 


3 



3 • 

7 = 

2 

10+1 

13 

2 + 1-7 + 3-z~0 

x = 7 

13 • 

77 = 

10 

10 2 + 1 

413 

10 + 4-7 + 3-:r~0 

x — \ 

413 • 

477 = 

197 

10 3 + 1 

2413 

197 + 2- 7 + 3- a:~0 

x = 3 

2413 • 

3477 = 

839 

10 4 + 1 

32413 

839 + 3- 7 + 3- a:~0 

x = 0 

32413 • 

03477 = 

1127 

10 5 + 1 


The costs for the determination of the reciprocal of a n-figure number are 
proportional to n 2 . 

5.7.2 Case N = 2 (Z 2 «). For professional work the binary number sys¬ 
tem is preferable. The cases n= 8 , 16, 32, or even 64 fit directly the 
internal arithmetical architecture of microprocessors. The algorithm for the 
determination of a reciprocal modulo 2 n is completely analogous the deci¬ 
mal one above, moreover it is—like the classical division algorithm for binary 
numbers—simpler than that for decimal numbers. 

For example, the number 1000 0000 0011 0111 = 32 823 
is reciprocal modulo 2 16 to 0011 0101 1000 0111 = 13 703 
Indeed, 32823 • 13703 = 449773569 = 1 + 6863-2 16 . 

5.7.3 Turing in 1937. In the fall of 1937, two years before he became 
seriously involved with cryptology, Alan Turing (June 23, 1912-June 7, 1954) 
had thoughts about encryption by multiplication in the binary number sys¬ 
tem. This may have occurred incidentally to other mathematicians, too. 
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Turing, however, designed a relay multiplication circuit for this purpose and 
built a few stages, supported by the Princeton physicist Malcolm MacPhail. 
Circumstances prompted Turing to drop this project after he returned in July 
1938 from his Princeton stay, but he was well prepared to take up mechani¬ 
cal cryptanalysis on September 4, 1939, one day after the outbreak of the 
war, when he entered Bletchley Park. This was a Victorian country mansion 
in Buckinghamshire, halfway between Oxford and Cambridge, and was the 
place to which the Government Code and Cypher School had been evacuated 
in August 1939. G.C. & C.S. invited Turing as early as summer 1938, after 
his return, to a course in cryptology “just in case”. He passed another one 
around Christmas, and met regularly with the experienced cryptologist Dill- 
wyn Knox (1884-1943), who had struggled hard in 1937 to solve Italian and 
later Spanish messages encrypted by an ENIGMA without plugboard 4 . Gor¬ 
don Welchman too, had been recruited into intelligence work before the war. 

The first mathematician recruited by the Government Code and Cypher 
School was Peter Twinn, an Oxford graduate who entered service in February 
1939. He was told later that there had been some doubts about the wisdom 
of recruiting a mathematician “as they were regarded as strange fellows, 
notoriously unpractical” (Christopher Andrew). In fact, some other early 
Bletchleyites like Turing, Welchman, and Dennis Babbage had at least some 
skill at chess, not to speak of the chess masters Stuart Milner-Barry (1906 
1995), Harry Golombek, and Hugh Alexander (1909-1974), all recruited with 
the help of Gordon Welchman. 

Britain was well prepared for the war that was brewing; from Oxford and 
Cambridge the best people, if they didn’t want to become fighter pilots, were 
recruited for Bletchley Park. G.C. & C.S., a branch of the Foreign Office, had 
started in mid-1938 to become alarmed. Neither the United States nor Ger¬ 
many had made such painstaking preparations in the recruitment of scien¬ 
tists. In Britain, it took longer than in Germany or in the USA to recognize 
the importance of mathematics for cryptanalysis, but with Turing and Welch¬ 
man at hand the arrears were made up completely. Exploiting the talents 
of unconventional and eccentric personalities enabled the Foreign Office to 
establish the ablest team of cryptanalysts in British history. 

In France, whose cryptology like the British one earlier was extremely lan¬ 
guage oriented, the opportunity passed by in 1940 when its army was overrun 
by the Wehrmacht and the country was occupied. 


4 It may not be wise to believe the story Frederick W. Winterbotham started and Cave 
Brown told in his book, that Knox and Turing travelled in the middle of 1938 to War¬ 
saw, to meet there, arranged by the Polish Secret Service, a Pole with the pseudonym 
Richard Lewinski, who allegedly had worked at the firm Heimsoeth &; Rincke in Berlin as 
a mathematician and engineer and had offered to procure a copy of the ENIGMA. Marian 
Rejewski, in 1982, called this “a fable” . However, Harry Hinsley reports that already in 
1938 the Polish Secret Service had contacted the G.C. & C.S. and Knox re ENIGMA. This 
first contact, however, was not flourishing; Knox called the Polish ‘stupid and ignorant’. 
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En un mot, les methodes de transposition 
sont une salade des lettres du texte clair. 
[In one word, the transposition methods 
give a nice mess of cleartext letters.] 

Bazeries 

An extreme special case, not discussed at all in Chapter 5, requires that the 
matrix of the homogeneous linear substitution has only zeroes and ones as 
its elements. This is for N > 2 a severe restriction. Requiring moreover 
that in every row and in every column, a one occurs just once and thus the 
elements are zeroes otherwise, leads to permutation matrices effectuating a 
mere permutation of the vector space basis. 

The transposition (German Wiirfelverfahren or Versatzverfahren) is a poly¬ 
graphic substitution V n —> V n , an encoding of most special kind 

(xi , X 2 , ... X n ) I > , Xtt( 2 ) 7 * • • *^ 7 r(n)) 

where n G jk is a permutation of {1...n}, jk denoting the full group of n! 
permutations. 

A transposition is not a permutation of alphabet characters, but a permu¬ 
tation of places. Its use for anagrams (bolivia - lobivia) is primeval, in 
particular for the construction of pseudonyms (Amery - Mayer). 


6.1 Simplest Methods 

The simple classes of methods use one or a few encryption steps repeated 
over and over with a not-too-big n (‘complete-unit transposition’). 

6.1.1 Crab. Simplest is back slang or crab (German Krebs ): The message 
is reversed word for word or in toto: LIRPA OCCABOT KOOL (Sect. 1.5). 
This ‘reversed writing’ comprises ananymes like REMARQUE for Kramer, and 
AVE for Eva. Crab is also known in music, for example, in the crab canon. 
Palindromes are words or sentences which are invariant under a crab: 

Madam ete Rcntner Reittier Rcliefpfeiler summus 

Able was I ere I saw Elba Ein Neger mit Gazelle zagt im Regen nie 

Esope reste ici et se repose in girum imus nocte et consumimur igni 
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Every language has its palindromes. Some more examples in English are: 
Red rum & murder . A man, a plan, a canal: Panama. Ma is as selfless as I am. 
Was it a cat I saw? (Henry E. Dudeney) Madam, I’m Adam . (Sam Loyd) 

Lewd did I live, & evil I did dwel. (John Taylor) Draw pupil’s lip upward. 
Doc note, I dissent; a fast never prevents a fatness; I diet on cod. (Peter Hilton) 

6 . 1.2 Spoonerism. A harmless non-cryptographic use of syllable trans¬ 
position (n = 4) is found in the spoonerism (German Schiittelreim ): 
they hung flags — they flung hags dear old Queen — queer old Dean 
wasted the term — tasted the worm missed the history — hissed the mystery 
The transposition 7 r : 7 t(1 ,2, 3,4) = (3, 2,1,4) found in spoonerisms is used 
cryptographically in Medical Greek, according to Kahn a mild epidemic dis¬ 
ease of London medical students: POKE A SMIPE stands for smoke a pipe. 
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Fig. 42. Route for knight’s tour transposition (n = 64) 

6.1.3 Route transcription. Then there is route transcription (‘tramp’, 
German Wiirfel ): The plaintext is written in l rows of a fixed length k and 
read out in some prescribed way. Thus, a k x l rectangle is used for the 
encryption step, n = k x l. Frequently, a square is used, then n = k 2 . For a 
2 x 2 square, the spoonerism is included as an ‘overcrossing’ route. 

The cryptotext can be read out in columns (row-column transcription): 
i c h b i n 

d e r d O k IDTECEONHRRBBDEAIOIRNKST 
t o r e i s 
e n b a r t 

This method we have met already for the construction of an alphabet using 
a mnemonic password. Variants read out along the diagonals: 

ETNDOBIERACRERHDITBOSIKN 
or boustrophedonically 1 , alternatingly down and up the columns (every sec¬ 
ond column in a crab): 

IDTENOECHRRBAEDBIOIRTSKN 

or even in a spiral: 

TSKNIBHCIDTENBARIODREORE . 


l 


Greek bustropheidon, German furchenwendig, turning like oxen in plowing. 
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A more complex route is given by a knight’s tour (German Rosselsprung- 
wurfel) (Fig. 42); its decryption, if the start is known or can be guessed, is 
not very difficult, as is familiar from knight’s tour puzzles. 

Instead of rectangles, other geometric patterns have been used from time 
to time, primarily triangles, also crosses of varying forms and other arrays 
(Figs. 43,44). There are no limits to fantasy. But these simple transposition 
methods are quite open to cryptanalysis. 

a e i n r v z 

bdfhkmoqsuw y 
c g 1 p t x 

AEINRVZBDFHKMOQSUWYCGLPTX 
Fig. 43. ‘Rail fence’ (Smith) transposition, n = 25 

b f k O S W 

a ce gi In pr tv x 
d h m q u z 

BFKOSWACEGILNPRTVXDHMQUZ 
Fig. 44. ‘Croix Grecque ’ (Muller), ‘Four winds’ (Nichols) transposition, n = 24 


6.1.4 Grilles. Convenient as tools for transposition and, if the pattern is 
irregular enough, more secure than the routing methods are grilles, also called 
trellis ciphers (French grille, German Raster). Generally, a set of prefabri¬ 
cated grilles is needed. An important practical simplification appears in the 
turning grille, which brings the different windows of one and the same grille 
into action by rotation. It was described in 1885 by Jules Verne (1828-1905) 
in the story Mathias Sandorff. Grilles were used in the 18th century, for 
example in 1745 in the administration of the Dutch Stadthouder William IV. 


o e u r 
r b t r 
o o m t 
h a h s 


Fig. 45. 
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Turning grille with two positions 


1 12 3 4 



Fig. 46. Turning grille with four positions 


The mathematician C. F. Hindenburg studied turning grilles more systemat¬ 
ically in 1796, followed by Moritz von Prasse 1799, Johann Ludwig Kliiber 
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1809. There are grilles with two positions (Fig. 45) and, preferably, with 
four positions (Fig. 46), which are often called Fleissner grilles 2 in ignorance 
of their historical origin. Nulls are used to fill empty places. 

The construction of turning grilles is simple enough: A quadrant of a square 
checkerboard (with an even number 2u of rows and columns) is marked with 
the numbers 1... v , all numberings produced by rotation are superimposed, 
then for each number, a position of the rotated grille is selected and the cor¬ 
responding window is cut. The turning grille of Fig. 46 is obtained like this: 
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This technique allows the production of turning grilles according to a key 
pattern that lists the grille positions in the consecutive construction steps; 
for example, in the following suggestive way: 

jLiLrjur. 

The power of the class of turning grilles (for given n = 4is 2 ) can thus be 
determined: For a turning grille with two positions 2™/ 2 possibilities, for a 
turning grille with four positions 4"/ 4 = 2"/ 2 possibilities. For n = 36 as 
above there exist « 2.62 • 10 5 Fleissner grilles, the number of all permutations 
is 36 ! « 3.72 • 10 41 . 

Some of the military powers developed in the late 19th century a liking for 
route transcription and turning grilles on the tactical combat level. In the 
First World War, the German Heer early in 1917 suddenly introduced turning 
grilles with denotations like ANNA (5 x 5), BERTA (6 x 6), CLARA (7 x 7), 
DORA (8 x 8), EMIL (9 x 9) and FRANZ (10 x 10). After four months this 
was discontinued—to the distress of the French, who had easily broken the 
encryption. Grilles were part of the Heftschlusselverfahren of the Wehrmacht. 

Route transcription and turning grilles result in a transposition of the mes¬ 
sage and nothing else. A precursor, the Cardano grille, gives no transposi¬ 
tion, instead it introduces besides the characters visible through the window 
a larger set of nulls (Sect. 1.6). Grilles of any sort should normally not be 
used by serious cryptographers, but one cannot be sure that amateurs would 
not use them. Moreover, transposition in connection with substitution is to 
be taken quite seriously. 

2 Eduard Baron Fleifiner von Wostrowitz (1825 1888), Austrian Colonel, “Neue Patronen- 
Geheimschrift” ( Handbuch der Kryptographie, Wien 1881). The word ‘Patrone’, mlat. 
‘father form’, specimen form, was used in the textile industry for a drawing of the weaving 
pattern on checkered paper. In Jaroslav Hasek’s novel The Good Soldier Svejk a Hand¬ 
buch der militarischen Kryptographie von Oberleutnant Fleissner is mentioned, and 
other details pointing to a certain familiarity of Hasek with cryptography. 
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6.1.5 Genuine Fleissner grilles. The grilles advocated by Fleissner 
were quite special: they had an odd number of rows and columns. This left 
a window in the middle unused, and Fleissner recommended employing it for 
transmitting the starting position of the grille. In 1905, Hans Schneickert 
suggested using as fillers consecutive letters in the alphabet. But this may 


compromise the pattern of the windows: 
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The ambiguities can be eliminated exhaustively: hi collides with p, Oi with 
the remaining li2 = h, g2 with the remaining 02 = 0. The reconstructed grille 
at the right side gives the plaintext of 48 letters in four groups of twelve 
geschaeftsbu^cherordnenk)jnkursdrohte|fghiklmnopqr . 


6.1.6 A grille used by Erzherzog Rudolf. 

Erzherzog Rudolf (1858-1899), the Austrian crown 
prince, only son of Emperor Franz Josef von Habs- 
burg and his wife Elisabeth von Bayern, was a non¬ 
conformist, who finally committed suicide together 
with his mistress Baroness Mary Vetsera. He was 
a liberalist in opposition to the royal court and to 
Austrian antisemitism. An exhibition at the Vien¬ 
nese Hofburg shows some pieces from his private life, 
among others cryptographic means he used for his 
private correspondence which he had reasons to keep 
secret. He used a genuine Fleissner grille with four 



Erzherzog Rudolf 


positions and with an odd number of rows and columns (and not an even 


number, as Helen Fouche Gaines said). Figure 47 shows the 15 by 15 grille 


with 224 cells Rudolf used in 1889. At that time, 



£ 


Fig. 47. Fleissner grille used 
by Erzherzog Rudolf 
von Habsburg 


it was already known that grille systems are par- 
ticularly susceptible to multiple anagramming (see 
Sect. 21.3). This was published in 1879 by Edward 
S. Holden, based on previous work by John R. G. 
Hassarcl and William M. Grosvenor. Thus, Rudolf 
von Habsburg was just not well served by whoever 
was his advisor. On the contrary, it is remarkable 
that the grille he used shows many adjacent cells, 
an early case of a trapdoor that may have helped 
an unauthorized decipherer in the Evidenzbureau 
of the Viennese police. 



98 6 Encryption Steps: Transposition 

6.2 Columnar Transpositions 

Serious use of transpositions requires rather large values of n, coming close 
to the length of the whole message, in connection with the use of passwords, 
keys for selecting the transposition from a rather powerful set of encryption 
steps. In German, such a password is called a Losung. 

6.2.1 Passwords. They are already used in the simple columnar transposi¬ 
tion (French transposition simple a clef): The plaintext is written in rows of 
the chosen length k, the resulting columns are reordered according to a per¬ 
mutation 7r€7fc ( Losung ), and the cryptotext is read out column by column: 

eswarschondunkel it: 2 1 f 3 

' YT~T3 1 2 3 

e s w a S E AW 
r s c h SRHC 
o n d u N O U D 
nke 1 K N L E 

For cryptanalysis equivalent is obviously the block transposition or ‘com¬ 
plete-unit transposition’ (Gaines), French variante de Richelieu (Eyraud), 
German Gruppen-Transposition, Umstellung , which is as above except that 
the cryptotext is read out row by row: 

eswarschondunkel tt : 2 1 f 3 

' 1234' 

e s w a S E AW 
r s c h SRHC 
o n d u N O U D 
nke 1 K N L E 

This encryption can also be interpreted in the following way: the plaintext is 
divided into blocks of k elements and each block is permuted according to tt 
—this means a repeated monoalphabetic polygraphic encryption step of 
blocks of width k: block transposition is a complete-unit transposition. 
Simple columnar transposition is carried out with pencil and paper more 
easily and with less risk of error than block transposition. But although it 
spreads over the whole plaintext, it offers no more cryptanalytic security than 
complete-unit transposition—it is an example of a complication illusoire. 

6.2.2 Rectangular schemes. For route transcription and simple colum¬ 
nar transposition, decryption is made easier if the plaintext fits a rectangle or 
square of l rows. To accomplish this, nulls are frequently used. If they are 
not chosen with great care, unauthorized decryption is also much facilitated— 
e.g., if the plaintext is filled up with q q q ... q q . By no means is this filling 
necessary; the length of the last row is determined by the division rest. 

Since simple columnar transposition and block transposition—even with in¬ 
complete rectangles—can be solved easily, more complicated transposition 
methods are worthwhile. They all can be understood to be composite meth¬ 
ods (see Sect. 9.1.1). 


| SEAWSRHCNOUDKNLE 


> SSNKERONAHULWCDE 

j 
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6.2.3 Two-step methods. An additional permutation is introduced in the 
mixed-rows columnar transposition (French transposition double, Givierge, 
Eyraud): The plaintext is written in rows of the chosen length k according 
to some permutation 7Ti, the resulting columns are reordered according to a 
second permutation 7 t 2 , and the cryptotext is read out column by column, 
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7Ti: 2 4 13 7t 2 : 2 14 3 


SKSNRNEOHLAUCEWD 


Correspondingly, the mixed-rows block transposition is handled as above, but 
the cryptotext is read out row by row: 

7Ti: 2 4 13 7r 2 : 2 14 3 
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> SRHCKNLESEAWNOUD 


The same effect can be attained by using 7Ti afterwards: 


^e swarsch o n cl u n k e 1^ 7 t 2 : 2 1 4 3 7Ti: 2 4 13 

2143 1234 
e s w a S E A w 
rsch SRHC 
O n d u N O U D 
n k e 1 KN L E 

Mixed-rows columnar or block transposition with a square can use the same 
permutation both times, 7r 2 = 7Ti . Taking 7r 2 = 7r) -1 gives a method attri¬ 
buted by Kerckhoffs in 1883 to the Russian Nihilists (‘Nihilist transposition’). 
For a mathematical treatment of these transpositions, we assume that plain¬ 
text and ciphertext are represented by a rectangular (or square) matrix X of 
l rows, each with k elements. 

Permutation of the rows then means multiplication from the left by an 
l x l permutation matrix ir\ , 

X I—* TZ\X . 

while permutation of the columns means multiplication from the right by a 
k x k permutation matrix 7r 2 , 

X 1 —* Xtt 2 . 


1 SRHC 2 

2 KNLE 4 

3 S EAW 1 

4 N OUD 3 


> SRHCKNLESEAWNOUD 


Row-column transcription means a matrix transposition (mirroring at the 
diagonal), 
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X ^ X T . 

Now, block transposition is just X i—> Xn 2 , while columnar transposition is 
described by a column permutation, followed by a row-column transcription: 
X i ► (Xtt 2 ) T 

therefore, since a permutation matrix is orthogonal, 7 = tt^ 1 , also as a 
row permutation with of the transposed matrix, 

X ^ 7T^’ 1 X T . 

A mixed-rows block transposition is just 
X 1—> (7TiA)7r 2 = 7ri(X7r 2 ) , 
while a mixed-rows columnar transposition reads 
A i-> ((7riA)7r 2 ) T . 
or in the variant form 

X 1—► TT2 1 X T 7rj“ 1 . 

6.2.4 Ubchi. The double columnar transposition (French double transpo¬ 
sition 3 , German doppelte Spaltentransposition, Doppelwiirfelverfahren) uses 
simple columnar transposition twice. This would in principle mean using two 
different passwords, which for square matrices is not always done. 

Double columnar transposition can be interpreted as 
X 1—> ((Xtt) T tt') t = (n')~ 1 XTr , 

which is indistinguishable from a mixed-rows block transposition. Both are 
mappings by a cross-product 7Tj x 7r*.. For the Nihilist transposition the map¬ 
ping is a similarity transformation, the same is true for the US Army Double 
Transposition in case l = k (see below). All these methods require essentially 
the same cryptanalytic techniques as simple columnar transposition. 

Double columnar transposition with one password was used in the US Army 
for quite a while (‘US Army Double Transposition’). It was also used un¬ 
suspectingly by the German Kaiserliches Heer —the French under Major, 
later Colonel and even General, Frangois Cartier called it ubchi, since dur¬ 
ing German prewar manoeuvres, drill messages were marked ubchi, short for 
iibungschiffrierung. The French learned to break the encryption from this 
material and read the serious material until November 18, 1914. 

Strangely, the Deutsche Wehrmacht had not learnt from this and returned to 
its sins: From the outbreak of World War II until July 1, 1941 and again from 
June 1, 1942 double column transposition with a password that was changed 
every day served as an emergency cipher for the Heer ( Handschlusselverfah- 
ren), used from regiments downwards, and for the Kriegsmarine ( Reserve- 
Handverfahren, Notschliissel). This time, the British read along too. The use 
of two different passwords, or even triple columnar transposition, would not 
have helped: the relevant method of “multiple anagramming” was quite gen¬ 
eral. More about cryptanalysis of columnar transposition in Chapter 21. 

3 Note the difference in French: transposition double (6.2.3), double transposition (6.2.4). 
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Double columnar transposition (with one password) was the preferred crypto¬ 
graphic system of the Dutch Resistance and the French Maquis. It was also 
used by the British espionage and sabotage organisation Special Operations 
Executive (S.O.E.), founded by Churchill in 1942. This was finally confirmed 
in 1998 by Leo Marks, former head of the S.O.E. code department. 

6.2.5 Stencils. A true complication for the unauthorized decryption of 
simple transpositions is the introduction of irregularly distributed positions 
which are left blank: the Heftschliisselverfahren 1937 of the Wehrmacht , which 
used a 13 by 13 grille with 10 blanks per row and column, and the PA-K2 sys¬ 
tem, Japan, 1941. The USA broke the PA-K2 stencil encryption routinely, 
although often with considerable delay. 

The Rasterschliissel 44 of the German Armed Forces, introduced in March 
1944, would have been no exception, had it not been introduced very late in 
the war. Anyhow, the British, after the landing in Normandy, found plenty 
of material; but they had to learn first the complicated deciphering. The 
authorized Germans were frequently not much better off. But Rasterschliissel 
was praised by the Allies for its being practically unbreakable if used properly. 



Fig. 48. Rasterschliissel 44 of the German Armed Forces, introduced in March 1944 


Figure 48 gives an example from the Schliisselanleitung , edition of March 27, 
1944 for the method called crossword puzzle by the British: The plaintext 
Feind greift. seit 11.^5 Uhr bei Orjechow mit 8 Panzern nach Siidwesten an 
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was first prepared as commonly prescribed, replacing, e.g., /ch/ by /q/; the 
placename was enclosed by /aa/ and /ee/, doubled and superenciphered with 
the help of an ,Ortsnamenalphabet‘ (placename alphabet), here 

abcdef ghi j kl mnopqrst uvwxyz 
nml yaxwf uqt dzr i vkgeopj s hbc 

In this way Orjechow produces igqalfis, and altogether the prepared plaintext, 
comprising 77 characters (limits: minimal 60, maximal 200 characters), reads 
feindgreiftseitelfxvierfuenfuhrbeiaaigqalfisigqalfiseemitaqtpanznaqsuedwestan. 
The message is entered row by row; there are 10 blanks per row with maxi¬ 
mally 24 rows of the stencil that was changed every day. The starting field 
was chosen arbitrarily—say column bb and row ae. 

The key negotiation is found in a prefix (‘ Spruchkopf) of the message com¬ 
prising, apart from the indicator bbae, simply enciphered according to a 
table at the back of the stencil, also the tactical time and the total number 
of characters of the message, say 1203-77-tuzd . 

From the number of minutes and the number of characters the total sum of 
the digits is formed (here 0+3+7+7= 17) and the columns are counted from 
the initial column (here bb) by as many columns (here 17). This produces 
here ee, and with this column the read-off of the cipher text, following the 
given numbering, is started: 

1203-77-tuzd 

dianm rqtvf nnris iffgp uefzg naeeh aeuta iiead 
agqql wibsf fxuti teeaa eniqs sirli efese It 

It is easy to see that the deciphering is uniquely determined by reversing the 
order of the steps. 

6.2.6 Construction of permutations. Many schemes can be imagined 
for the derivation of permutations to be used in the columnar transpositions 
from a mnemonic password. One frequently mentioned in the literature goes 
as follows. 

Each password letter is given the number of its alphabetic ranking: 

M A C B E T H 
6 13 2 4 7 5 

This is simple enough if the password has no repeated letters. If it has, a 
slightly corrected scheme ranks repeated letters consecutively: 

A M B A S S A D E D A L L E M A G N E 
1 15 6 2 18 19 3 7 9 8 4 13 14 10 16 5 12 17 11 

6.3 Anagrams 

Transposition leaves invariant the bag 4 of characters of a plaintext. An ana¬ 
gram poses the problem of reconstructing from the bag the plaintext. If ana- 

4 i.e., repeated elements counted one by one. The statement is also trivially valid for sets. 
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grams could be solved systematically, then all transposition encryption would 
be broken. 

6.3.1 Origins. Anagrams have a rich history. Huyghens gave the following 

a 7 c 5 d 1 e 5 g 1 h 1 i 7 l 4 m 2 n 9 o 4 p 2 q 1 r 2 s 1 t 5 u 5 , 
which allows the interpretation 

‘annulo cingitur tenui piano, nusquam cohaerente, ad eclipticam inclinato ’ 
([Saturn] is girdled by a thin flat ring, nowhere touching, inclined to the ecliptic). 

Newton wrote to Leibniz 

a 7 c 2 d 2 e 14 f 2 i 7 l 3 m 1 n 8 o 4 q 3 r 2 s 4 t 8 v 12 x 1 , 
which could have meant l data aequatione quodcumque fluentes quantitates 
involvente, fluxiones invenire et vice versa ’ (from a given equation with an 
arbitrary number of fluentes to find the fluxiones and vice versa). 

Anagrams were a pastime for scientists in the 17th century, and this may be 
reflected in the liking amateurs have for transposition methods even nowa¬ 
days. 

Galilei wrote to Kepler a masked anagram: 

HAEC IMMATURA A ME IAM FRUSTRA LEGUNTUR O. Y. 

(These unripe things are now read by me in vain); 
it was to mean 

‘cynthiae figuras aemulatur mater amorum ’ 

(The mother of love [= Venus] imitates the phases of Cynthia [=Moon]). 

(At these times, scientists paid a lot of attention to establishing priority: 
Carl Friedrich GauB published April 25, 1812 an important result on the 
perturbation of the Jupiter orbit by the little planet Pallas by the presumably 
binary chiffre IIIIOOOIOOIOIOOI. ) 

A modern example is ASTRONOMERS , which can be read as moon starers , 
but also no more stars . 

King Ludwig II of Bavaria (the insane builder of Neuschwanstein) wrote the 
(not very deep) masked anagram MEICOST ETTAL, to be read I’etatc’estmoi. 

The pharmaceutical industry makes use of anagrams, too: The trademark 
KLINOMYCIN® (Lederle) denotes the agent Minocyclin. This is only one 
example of wordplay in sales promotion. 

In experimental lyrics, anagram poems are found like the following one by 
Francesco Gagliardi 

Gluck und Sommer weinen Waden, Rohricht neu, 

Rad und Roche suchen Note: Gliihweinwimmern. 

Randenhiigel, Wut und Nock: wie Ore schimmern. 

Wanderturme, Gnom in Kochern wund, eil scheu. 

of type a 1 c 2 d 2 e 5 g 1 h 2 i 2 k 1 l 1 m 2 n 5 o 1 r 3 s 1 t 1 u 2 w 2 o 1 u 1 . 
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admonition 

algorithms 

ancestries 

auctioning 

broadsides 

catalogues 

collapsing 

configures 

contenting 

countering 

dealership 

decimation 

denominate 

denouncers 

descriptor 

discoverer 

egocentric 

enervating 

excitation 

harmonicas 

impression 

indiscreet 

mouldering 

ownerships 

persistent 

pertaining 

platitudes 

procedures 


domination 

logarithms 

resistance 

cautioning 

sideboards 

coagulates 

scalloping 

refocusing 

contingent 

recounting 

leadership 

medication 

emendation 

uncensored 

predictors 

rediscover 

geocentric 

venerating 

intoxicate 

maraschino 

permission 

iridescent 

remoulding 

shipowners 

prettiness 

repainting 

stipulated 

reproduces 


alarmingly 

alienators 

antagonist 

australian 

catalogued 

certifying 

compressed 

conserving 

coordinate 

creativity 

decimating 

deductions 

denotation 

deposition 

directions 

earthiness 

enduringly 

enervation 

filtration 

impregnate 

impressive 

introduces 

nectarines 

percussion 

persisting 

petitioner 

positional 

profounder 


marginally 

senatorial 

stagnation 

saturnalia 

coagulated 

rectifying 

decompress 

conversing 

decoration 

reactivity 

medicating 

discounted 

detonation 

positioned 

discretion 

heartiness 

underlying 

veneration 

flirtation 

permeating 

permissive 

reductions 

transience 

supersonic 

springiest 

repetition 

spoliation 

underproof 


Fig. 49. Ten-letter word anagrams (by Hugh Casement) 


Among British intellectuals, anagrams are still popular today (Fig. 49). They 
are also the subject of riddles in German weeklies: 


IRI BRATER, GENF 
FRANK PEKL, REGEN 
PEER ASTIL, MELK 
INGO DILMUR, PEINE 
EMIL REST, GERA 
KARL SORDORT, PEINE 
GUDRUN SCHRILL, HERNE 


Brieftragerin 

Krankenpflcger 

Kapellmeister 

Diplomingenieur 

Lagermeister 

Personaldirektor 

Grundschullehrerin 


6.3.2 Uniqueness. The question arises, whether from a heap of letters more 
than one meaningful message can be constructed. Jonathan Swift already 
answered this question when he pointed out in his satire Gulliver’s Travels , 
that a malicious political enemy could interpret a harmless sentence like 


OUR BROTHER TOM HATH JUST GOT THE PILES 


by transposition (‘Anagrammatick Method ’) as the conspirative message 

Resist, — a Plot is brought home — The Tour. 

Indeed, experience shows, and is supported by Shannon’s theory, that there 
is no length for which an anagram must have a unique decryption. 

Historically, it should be added that an early first form of transposition is 
found in the ancient Greek skytale (crnvra Ae) that is known from the fifth 
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century B.C.: a staff of wood, around which a strip of papyrus is wrapped. 
The secret message is written on the papyrus down the length of the staff. 

After the decline of classical culture and the collapse of the Roman empire, 
the first encryption by transposition is found, according to Bernhard Bischoff, 
in the mediaeval handwriting of bored monks: here and there crab, vertical 
writing, and play on words, often rather perfunctory. 

Transposition lost its importance with the surge of mechanical cipher ma¬ 
chines at the beginning of the 20th century, since it is hard for a mechanical 
device to store a great number of letters. Things have changed since then. 
Semiconductor technology now offers enough storage to encrypt effectively 
with transposition, and tiny chips provide millions of bits, with very short 
access time, for the price of a bus ticket. The 21st century will see trans¬ 
position regain its true importance. 



7 Polyalphabetic Encryption: 
Families of Alphabets 


Monoalphabetic encryption uses some encryption step (possibly a polygra¬ 
phic one) over and over. All the encryption steps treated in Chapters 3 6 
can be used monoalphabetically—in the examples this was tacitly assumed. 
Genuine polyalphabetic encryption requires that the set X (see Sect. 2.3) of 
available encryption steps has at least two elements, i.e., that the cryptosys¬ 
tem M has at least the cardinality 9 = 2. For the frequent case 9 = N , 
where N = \V\, the French literature speaks of a chiffre carre. 

The individual encryption steps can be of quite different nature; for example, 
the cryptosystem M could consist of one or more simple substitutions and 
one or more transpositions of some width. This could drive an unauthorized 
professional decryptor crazy, since customarily all encryption steps within the 
same cryptosystem should belong to the same narrow class—for example, all 
substitutions, or all linear substitutions of the same width, or all transpo¬ 
sitions. Frequently it is even required that all steps have equal encryption 
width, and block encryption may be wanted for technical reasons. 

The main problem is to characterize in a simple way many different encryp¬ 
tion steps or, as one says, to generate many different alphabets. Surprisingly, 
the imagination of inventors has so far left open many possibilities. 

7.1 Iterated Substitutions 

A natural idea is to build a cryptosystem by systematically deriving from one 
encryption step (primary alphabet, German Referenzalphabet ) other encryp¬ 
tion steps. This we have seen for simple substitution in Sect. 3.2.4, where 
families of derived alphabets were obtained by taking all shifts and raising to 
all powers. 

We shall see that both these families are constructed using the concept of 
iterated substitution S' 1 , defined by pS J+1 = (p S) for a necessarily 
endomorphic (V = W) substitution S. In fact, iterated substitution is pre¬ 
dominant in generating accompanying alphabets. 
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7.1.1 The endomorphic case. We concentrate our attention on the case 
V = Q , W = Q. Let S : Q n -<— yQ n . Then S l : Q n -4— >-Q n and we have 

(a°) { S l : i € IN } , the group of powers of a mixed alphabet S. 

With some substitutions Pi : VA—>- Q n and P2 : Q n * ;—s-IF , there is the set 

(a) { P 1 S i P 2 : i G ON } where P 1 S i P 2 : 

with the special cases (') V = Q n ,P\ = id and (") W = Q n , P2 = id . 
Furthermore, with some additional substitution R : Q n -4—>- Q n , we have 
(b°) { S l RS~ l : i G IN } , the group of S-similarities of R . 

Again, with some substitutions Pi, P 2 as above, there is the set 

(b) { P 1 S i RS~ i P 2 : i € IN } where P 1 S i RS~ l P 2 : V+-+W 

The families are in any case finite, since Q n -i — yQ n with finite | Q |= N 
contains not more than ( N n )! different permutations. 

For S of the order h < (N n ) !, i.e., S h = id and S l ft id for i < h , the 
powers produce h different alphabets. Note, that h > N n is possible: For 
N = 5 , g = l, the substitution (in cycle notation) ( ab)(cde ) is of the order 6. 
It may happen that h is rather small: For a self-reciprocal S , there is apart 
from the identity id no other power of S. 

7.1.2 Cyclic permutations. It is by no means necessary, but it may be 
advantageous, to choose for S a cyclic permutation a, of the order N n . 
The N n powers of cr can be mechanized in this case, as already mentioned 
in Sect. 3.2.8 (Fig. 28). If N is of the order of magnitude 25, n = 2 will 
rarely be surpassed. There are (N n — 1)! different cyclic permutations. 

7.2 Cyclically Shifted and Rotated Alphabets 

Once a standard alphabet in Q is distinguished, there is also a standard 
alphabet fixed in Q n by lexicographic ordering. The cycle belonging to 
this ordering (Sect. 3.2.3) and the corresponding substitution of the standard 
alphabet are in the following denoted by p. The Pi and R above are then 
functioning as primary alphabets. 

7.2.1. With p l for S l in Sect. 7.1.1 , we have the powered cycles 

(a°) { p l : i G IN } = { : i G IN } = { pp l : i £ IN } , 

the group of shifted standard alphabets (French alphabets normalement par- 

allele, German verschobene Standardalphabete). Particular cases of (a): 

(a') { p l P : i G IN} is the set of horizontally shifted (mixed) 

P-alphabets (French alphabets desordonne et parallele ), 

(a") { Pp l : i € IN} is the set of vertically continued (mixed) 

P-alphabets (French alphabets desordonne et etendu verticalement). 
For the general case (Eyraud: alphabets non-normalement paralleles) 

(a) { P\p l P 2 : i G ON} see Sect. 8.2.3 (and Sect. 19.5.3). 
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The designations will become clear by a look at the tables for the families 
of substitutions: With V = Q = W = Z 2 6 and N = 26, for the primary 
alphabet P generated by the mnemonic password NEWYORKCITY, 

abcde fghi jklmnopqrstuvwxy z 

N EWYORKC I TABDFGHJ LMPQS UVX Z 

the set {p l P : * GIN} has the following table (in the form of a tabula recta, 
i.e., with identical letters along the diagonals from left below to right above) 

i abcde fghi jklmnopqrstuvwxy z 

0 NEWYORKCI TABDFGHJ LMPQS UVX Z 

1 EWY ORKCITABDFGHJ LMPQSUVX Z N 

2 W Y O R K C I T A B D F G H J L M P Q S U V X Z N E 

3 YORKC I TABDFGH JLMPQSUVXZNEW 

4 O R K C I T A B D F GH J L M P Q S U VX Z N E W Y 

5 R K C I T A B D F G H J L M P Q S U V X Z N E W Y O 


25 Z N EWYORKC I TABDFGH J LMPQ S UVX 

while the set { Pp l : i € IN} has the table 

i abcde fghi jklmnopqrstuvwxy z 

0 NEWYORKCI TABDFGHJ LMPQS UVX Z 

1 O F X Z P S LDJ UBCEGH I KMNQRT VWY A 

2 P G Y A Q T ME K V CD F H I J L N O R S U W X Z B 

3 QHZBRUNFLWDEGIJKMOPSTVXYAC 

4 RIACSVOGMXEFHJKLNPQTUWYZBD 

5 S J BDTWPHNYFGI KLMOQRUVX Z AC E 


24 L C U WM P IAGRYZBDEFH JKNOQ S TVX 

25 MDVXNQ JBH S ZACEFG I KLOPRT UWY 

The horizontally shifted P-alphabets show the primary alphabet P in every 
line, shifted from line to line by one position to the left; the vertically con¬ 
tinued P-alphabets show the primary alphabet P in the first line only, and 
it is continued vertically in the standard order. 

7.2.2. Furthermore in Sect. 7.1.1 for the ^-similarities of R, with p l for S' 1 , 
(b°) { : i € IN } 

is the group of rotated P-alphabets (the designation will be motivated in 
Sect. 7.3). 

For the particular case P\ = P,P 2 = P~ 1 of (b), there is 

(b*) { Pp i Rp- i P~ 1 : * G IN } 

the set of P-rotated (mixed) P-alphabets. 
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Taking now for R the same primary alphabet NEWYORKCITY as above, 
the set { p l Rp~ l : * € IN } has the table 

i abcdefghijklmnopqrstuvwxyz 

0 N EWYORKC I TABD FGH J LMP QS U V X Z 

1 D V X NQ J B H S Z A C E F G I K L O P RT U W Y M 

2 U WM P I A G R Y Z B D E F H J K N O Q S T V X L C 

3 VLOHZFQXYACDEGIJMNPRSUWKBT 

4 KNGYEPWXZBCDFHILMOQRTV J A S U 

5 MF XDOVWYAB CEGHKLNPQ S U I Z R T J 


21 X Z A C E S J B D TWP H N YF G I K L MO Q R U V 

22 Y Z BDRI ACSVOGMXEFHJKLNPQ T UW 

23 YACQHZBRUNFLWDEGI JKMOPS TVX 

24 ZBPGYAQTMEKVCDFHI JLNORSUWX 

25 AO FXZP S LDJ UBCEGH I KMNQRT VWY 


The rotated or P-rotated R-alphabets show the primary alphabet R in the 
first line only; along the diagonals from left below to right above the alphabet 
turns up in the standard order. 


7.2.3 Mechanization. The family of shifted primary alphabets can be me¬ 
chanized, as mentioned in Sect. 3.2.7, by an Alberti cipher disk or a cipher 
slide. For mechanization of rotated primary alphabets see Sect. 7.3. We shall 
speak of ALBERTI encryption steps in the case of horizontally shifted P- 
alphabets, of ROTOR encryption steps in the case of R-rotated standard 
alphabets. 


7.2.4 Cycle decomposition of an accompanying alphabet. Example: 


For Q 


abcde\ 
BADEC J 


one obtains 


pQ 

Qp 

pQp - 1 


abode 
b c cl e a 

a b c d e \ 
BADEC ) 


a b c cl e \ 
ADECB ) 


= (a b) (c cl e) and p = (a b c cl e), 


fbcdea\ /abcde\ 

^ ADECB ) yADECB J 

/ B AD E C \ _ / a b c cl e \ 
y C BEAD J ~ C BEAD J 

( ADECB\_/abcde\ 
VECDBA ) ~ E CDB A ) 


In the substitution notation the alphabets are in this example 


i 

a 

b 

c 

cl 

e 

i 

a 

b 

c 

d 

e 

i 

a 

b 

c 

cl 

e 
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B 

A 

D 

E 

C 

0 

B 

A 

D 

E 

C 

0 

B 

A 

D 

E 

C 

1 

A 

D 

E 

C 

B 

1 

C 

B 

E 

A 

D 

1 

E 

C 

D 

B 

A 

2 

D 

E 

C 

B 

A 

2 

D 

C 

A 

B 

E 

2 

B 

C 

A 

E 

D 

3 

E 

C 

B 

A 

D 

3 

E 

D 

B 

C 

A 

3 

B 

E 

D 

C 

A 

4 

C 

B 

A 

D 

E 

4 

A 

E 

C 

D 

B 

4 

D 

C 

B 

E 

A 
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In cycle notation one obtains 

for the set of horizontally shifted Q-alphabets 

{ (a b)(c d e) , (a)(b dee), (a cl b e)(c) , (a e d)(b c) , (a c)(b)(d)(e) } 
for the set of vertically continued Q-alphabets 

{ (a b)(c d e) , (ace d)(b) , (a cl b c)(e) , (a e)(b cl c) , (a)(b e)(c)(d) } 
for the set of rotated Q-alphabets 

{ (a b)(c d e) , (b c)(d e a) , (c d)(e a b) , (d e)(a be), (e a)(b c d) } . 

From the theory of groups it is known that a similarity transformation p l Qp~ l 
leaves the length of the cycles of a permutation Q invariant. All substitutions 
from the family of P-rotated alphabets have the same cycle decomposition. 
This has been called ‘The Main Theorem of Rotor Encryption’. For the 
(horizontally or vertically) shifted P-alphabets, this is not the case. 

In our case, the partition belonging to the cycle decomposition is 3 + 2 . 
In the example of Sect. 7.2.2, the partition is 10 + 8 + 6 + 1 + 1, e.g., for i =0 
the decomposition (a n f r 1 b e o g k) (c w u q j t p h ) (d y x v s m ) (i) (z). 

7.2.5 Size of the families. The number of different alphabets among the 
accompanying ones is exactly N n for (a), it is between 1 and N n for (b), 
depending on R. It is 1 if P is the identity; it is N n , if pi P ^ Ppi for 
i = 1 , 2 , ... , N n — 1 . 

For small values of N n , there are only few ‘rotors’ R fulfilling this condition. 
For N n = 4 and p = (a b c d) , there are only four maximal ‘rotor’ families: 

{ (a b), (b c), (c cl), (d a) } , { (a c b d), (b d c a), (c a cl b), (d b a c) } , 

{ (a c b), (b cl c), (c a d), (cl b a) } , { (a b c), (b c cl), (c d a), (dab)}; 

for N n = 3 and p = (a b c) only one : { (a b), (b c), (c a) } . 

For N n = 2 , there is no ‘rotor’ family of two members. 

7.3 Rotor Crypto Machines 

With the introduction of electric typewriters, electromechanical ciphering 
machines came to the fore. For a realization of a fixed substitution P with 
electric contacts, a switchboard may serve, with N entry sockets for the 
plaintext characters and N exit sockets for the cryptotext characters, in¬ 
ternally connected by N wires, Fig. 50 (a). 

To obtain a realization by electric contacts for a family {Pp 1 } of shifted 
P-alphabets, sliding contacts are put behind the exit sockets of the switch¬ 
board, or rather the switchboard slides before a contact row, as shown in 
Fig. 50 (b). In any case, flexible wires are needed, which leads to a problem 
of mechanical breakage. 

This can be avoided if a movable contact row is attached on the entry side as 
well as on the exit side of the switchboard, coupling both rigidly. Sliding the 
switchboard does it equally well, and now flexible wires are no longer needed. 
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Fig. 50. Fixed substitution, shift and rotation 
realized by electrical contacts 


This is shown in Fig. 50 (c). Duplication of the contacts is not necessary any 
longer, if a cyclically closed contact row, i.e., a movable switching drum (Ger¬ 
man Walze), a rotor, is used. In this way, a realization of the family { p~ l Rp *} 
is obtained, which gives it the name -R-rotated (standard) alphabets. 

Using slip-rings with a switching drum allows the realization of shifted P- 
alphabets {Pp 1 } ■ This has been called more recently a half-rotor (Fig. 51). 

7.3.1 Arthur Scherbius. On February 23,1918, the 
engineer and inventor Dr. Arthur Scherbius (October 30, 

1878-May 13, 1929), living at Berlin-Wilmersdorf, Hil- 
degardstrasse 17, filed under the sign Sch 52638 IX/42n 
at the Reichspatentamt a patent application for a ‘ Chif- 
frierapparatl , an electric cipher machine, simpler and 
more efficient (‘ einfacher und leistungsfdhigeP ) than the 
ones hitherto known 1 . 

On April 15,1918, Scherbius wrote to the Office of the 
Imperial Navy ( Reichs-Marineamt) and offered his inven¬ 
tion for examination. A confidential position paper (on 
July 16, 1918) of the Marineamt , Department DII came 
to the conclusion that the cipher machine would electri- pig. 51. 
cally transform simply by means of a keyboard the plain- ‘Half-rotor’ of 

text (letters or numbers from a code book) into a cipher Arvid Damm (1919) 



1 The patent, supplemented by an application under the sign Sch 53189 IX/42n on June 
21,1918, was granted rather late (July 8,1925) under the number DRP 416219 for Scher¬ 
bius’ company Gewerkschaft Securitas in Berlin, renamed in 1923 Chiffriermaschinen 
A.G. (Berlin W 35, Steglitzer Str. 2). The patent application in the USA was made on 
February 6,1923; the US Patent No. 1,657,411 was granted in 1926. A British patent 
No. 231502 was applied for on March 25,1925 with German priority on March 26,1924. 
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script. The price for a single machine, including a coupled typewriter, was 
given at around 4500 Reichsmark (about 1000 $) and the time for delivery was 
8 weeks. The Imperial Navy stated that the device offered high security, even 
if it fell into the hands of an enemy. But it did not buy the machines because 
of the prevailing opinion that existing ciphering by hand was sufficient and 
the use of machines was not worthwhile. Instead, the Navy suggested to the 
German Auswartiges Amt (Foreign Office) that they should examine the use 
of the machine for diplomatic correspondence. They also declined the offer. 



Fig. 52. Scherbius’ ENIGMA A of 1923 



Fig. 53. Scherbius’ ENIGMA B of 1924 , with type-bar printing 


In the early 1920s, Scherbius tried to exploit commercially his invention. In 
the first models, ENIGMA A (Fig. 52) and ENIGMA B (Fig. 53), the type¬ 
writer was an integral part. The ENIGMA A, using a type-wheel, was pre¬ 
sented in 1923 at the International Postal Congress, held in Bern, and in 1924 
at the International Postal Congress held in Stockholm. The ENIGMA B of 
1924 used instead type-bars for capital letters and minuscules. 

7.3.2 Rotors. The nucleus of Scherbius’ invention was what is called today 
‘rotors’ in the form of wheels or drums—Scherbius used in 1918 the expression 
‘ LeitungszwischentrdgeP(Fig. 54: ), later he called it ‘DurchgangsradeP. 

The idea of the electric contact-rotor originated before 1920 independently in 
at least four places. According to Kahn, material from a patent hearing testi- 
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Zu der Patentschrift 416219 


Abb. i 


Kl. 42n Gr. 14 




Fig. 54. Rotoren (‘Durchgangsrader’, ‘Walzen’ ) with ten contacts from Scherbius ’ pa¬ 
tent application of 1918 and with 26 contacts from the ENIGMA C of 1925 



Edward Hugh Hebern Arthur Scherbius Arvid Gerhard Damm 


mony (US Patent Office Interference 77 716) shows that the American Edward 
Hugh Hebern (1869- 1952), who had in 1915 connected two electric typewrit¬ 
ers monoalphabetically by 26 wires, made in 1917 the first drawings of a rotor 
to change the connection mechanically and thus to have 26 alphabets avail¬ 
able. He only filed for a US patent in 1921 and received one (No. 1510 441) 
at last in 1924. Thus, three other patents were filed earlier: by the German 
Arthur Scherbius (1878-1929), German Patent 416 219 filed February 23, 
1918, and then, almost in a dead heat, by the Dutchman Hugo Alexander 
Koch (1870-1928), Netherlands Patent 2 No. 10700 filed October 7, 1919, and 
by the Swede Arvid Gerhard Damm(f 1927), Swedish Patent No. 52279 filed 
October 10, 1919 (he invented half-rotors and influence letters). 

None of these inventors found fortune or happiness. Hebern was treated very 
badly by the US Navy in 1934 and later by the US Government; in 1941 he lost 


2 The patent rights were transferred on May 5, 1922 to N. V. Ingenieursbureau Securitas; 
in 1927, Scherbius’ company absorbed the patents. Karl de Leeuw disclosed in 2003 
that Koch was only a figurehead for his brother-in-law, the patent attorney Huybrecht 
Verhagen, who had ‘pinched’ the rotor idea from the Dutch Navy officers Theo A. van 
Hengel (1875-1939) and R. P. C. Spengler (1875-1955)—they had a model built for the 
Dutch Navy as early as 1915, two years before Hebern and three years before Scherbius. 
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a patent interference case against International Business Machines. He had 
little income when he died from a heart attack at the age of 82. Koch died in 
1928. Scherbius suffered a fatal accident 3 ; his company’s name, former¬ 
ly Gewerkschaft. Securitas, then Chiffriermaschinen Aktiengesellschaft, was 
changed in 1934 to Heimsoeth & Rinke (Dr. Rudolf Heimsoeth and Elsbeth 
Rinke, Berlin-Wilmersdorf, Uhlandstr. 136) and lasted at least until 1945. 

Damm was an homme galant. He had moved in 1925 to Paris and died in 1927; 
his company was taken over by Boris Hagelin (July2, 1892-Sept. 7, 1983), 
who abandoned the half-rotor in 1935 and in 1939 renamed the company Ak- 
tiebolaget Ingenjorsfirman Cryptoteknik. Damm is actually out of place here 
in that he used his 5-contact half-rotors in pairs for a Polybios-type cipher. 

In his patent application of 1918, Scherbius discussed multiple rotors, used 
successively with the purpose to increase the number of generated substitu¬ 
tion alphabets—with n rotors and a vocabulary of N characters they may 
amount up to N n . Likewise, Hebern used five rotors (two of which had a fixed 
position). Scherbius proposed originally 10-contact rotors (N= 10), suited for 
the superencryption of numeral codes, and 25-contact rotors ( N= 25) for the 
letters of the Latin alphabet (omitting j), and mentioned the cases of three 
and, in the Navy proposal, of ten rotors. Later, in the first commercial models 
ENIGMA A of 1923 (and ENIGMA B of 1924), he used four rotors. In this 
case there is the family {^(j 1 ,i 2 ,i 3 ,i 4 )} (ii, * 2 , * 3 , H G {1, 2,..., N}) , where 

i?(ii ,i 2 ,i 3 ,u) = P~ h Rn P h ~ i2 Rm P l2 ~ i3 Rl P h ~ li Rk P u ■ 

For the ENIGMA A with N= 28 (normal alphabet with two additional char¬ 
acters for spaces) there are 28 4 = 614656 different positions and hardly fewer 
members provided Rk,RliRm and Rn are suitably chosen. 

With the ENIGMA C, introduced in 1925/1926, Scherbius left the provision 
of a writing device and used, as already mentioned in the patent application, 
glow-lamps in a display; the ENIGMA C was battery-operated (4.5 Volt) and 
had in the jargon the name Gliihlampentype. The cipher text was to be read 
off character by character and written down by hand; it was then as a rule 
sent by Morse wireless. The keyboard and the lamp field were alphabetic. 

7.3.3 Reflector. When the commercial ENIGMA C of 1925/1926 was de¬ 
signed, Scherbius’ colleague Willi Korn 4 (patent filed March 21, 1926, Ger¬ 
man Patent 452 194) presented the seemingly clever idea of introducing a re¬ 
flector (German Umkehrwalze; in Bletchley Park sometimes misspelled Umk- 
erwaltz and pronounced ‘Uncle Walter’). Since in this way each rotor came 
twice into play, the misleading sentiment was that the resulting permutation 
was better mixed and therefore the number of rotors proper could be reduced 
to three. With these three, now exchangeable rotors, Rl, Rm, and R^r, and 

3 Actually, according to Wilhelm Fenner and Otto Leiberich, he committed suicide. 

4 Korn gave the ENIGMA much of its modern form. He filed a number of patents, the 

last German Patent No. 607 638 on March 5, 1930, after which there are in Berlin no 

traces of Korn left. His last US patent was No. 1,938,028, issued on December 5, 1933. 
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+ 4.5V 


Fig. 55. Electric current in a hypothetical machine with three rotors without a reflector 
for push-button e and lamp H (or for push-button m and lamp S). 



+ 4.5V 


Fig. 56. Electric current in a 3-rotor ENIGMA C with reflector U and stator S 
for push-button e and lamp M (or for push-button m and lamp E). 


a properly self-reciprocal substitution U (which requires N to be even), we 
have the family {P( il>i2i , 3 )} (ii,h, h, U € {1, 2,..., N}) , where 

^ > (*1i*2i*3) = * 3) U an< ^ 

%i,i 2 ,i 3 ) = p~ h Rn P il ~ i2 Rm P l2 ~ i3 Rl P 13 ■ 

All members of this family of KORN encryption steps are now properly self¬ 
reciprocal permutations (see Sect. 3.2.1): N/2 pairs of letters are swapped. 
Figures 55 and 56 show the electric current for the plaintext character e and 
the corresponding cryptotext character H (without reflector), M (with reflec¬ 
tor). S denotes the stator, which serves both as entry and as exit. 

It was thought to be an advantage that encryption and decryption coincided 
and a switch was no longer needed. The reflector solution, however, had the 
consequence that no letter could be encrypted as itself. Ironically, this would 
turn out in the end to be ‘a cryptologic disaster’ (Sects. 11.2.4, 14.5.1, 19.7.2). 
Likewise, the fact that the electric current went through six rotors was by 
some people wrongly interpreted as additional cryptanalytical security. 

In the ENIGMA C (Fig. 57), ‘The Reciprocal ENIGMA’ (Hugh Foss), the re¬ 
flector U could be inserted in two fixed positions. This and the six possible 
permutations of the rotors provided 26 3 - 2 • 6 = 210 912 initial settings with 
hopefully the same number of resulting different substitution alphabets — the 
number of all possible KORN encryption steps is 26!/(13! • 2 13 ) = 7.91 • 10 12 . 
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Fig. 57. ENIGMA C (Scherbius and Korn), 1925; righthand side: opened. 
Alphabetic ordering of the keys 



Fig. 58. ENIGMA D (Scherbius and Korn) 1927; righthand side: opened 


The ENIGMA C (Hugh Foss: ‘Index’ machine) was replaced after two years by 
the commercial ENIGMA D (Fig. 58) of 1927. Now the reflector could be set 
in 26 positions like the three rotors; from the outside, it looked like another, 
fourth rotor, the reflecting rotor U- but it did not move during ciphering. 

Thus we have the family {P(i lt i 2 ,i 3 ,i 4 )} of genuine reflections, where 

= R ‘^ , (j 1 ,i 2 ,i 3 ,i 4 ) an< ^ 

= P~ h r n p il_i2 Rm P ,2 ~ i3 Rl P i3 ~ u , 
with 26 4 - 6 = 2 741 856 initial settings. 
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The commercial ENIGMA D (Welchman: ‘Glowlamp Machine’) was for the 
first time furnished with exchangeable rotors; the machine was widely used 
and went to Sweden, the Netherlands, Japan, Italy, Spain, UK, and the USA, 
and was bought legally by the Polish Biuro Szyfrow. The keyboard was es¬ 
sentially that of the standard German typewriter. Its successor, ENIGMA K, 
was delivered 1938-1940 to the Swiss Army (US codename INDIGO). In the 
later models for the Reichswehr, the reflecting rotor was fixed again (*4 = 0). 
The price of a single ENIGMA D was in 1928 about 600 Reichsmark ($ 140); 
about a hundred ENIGMA K units were sold in 1941 for 760 Reichsmark each. 
An ENIGMA was said to have been purchased in 1925 by Knox in Vienna. 


7.3.4 “Regular” movement of the rotors. The ENIGMA had from the 
very beginning a fixed key sequence generator, merely the starting position in 
this key sequence was variable. It was determined by the ‘ Grundstellung ’ (ba¬ 
sic wheel setting) of the rotors before beginning the encryption; the 3-letter 
group shown in the windows (depending on the ring setting) was called the 
‘indicator’. In the patent application of 1918, Scherbius advocated a counter¬ 
like mechanism 5 , but in the ENIGMA A, B he used four Antriebsrader , with 
11, 15, 17, 19 positions, with variable pitched gear drives; in the ENIGMA C 
and in almost all later models he returned to the cyclometric movement of 
the rotors: in the course of enciphering, the rotors (but not the reflector) were 
advanced by pawls and ratchet wheel notches (however by gears and single¬ 
toothed notches in the ENIGMA G). The rightmost rotor Rn was moved by 
one tooth at each enciphering step; this was called the “fast rotor”. 

A truly irregular movement of the rotors did not take place, except that for 
the rotors VI, VII and VIII of the Navy ENIGMA two notches were provided. 


Fig. 59. 

Funkschliissel C of the Reichsmarine. 1926; 
with additional vowels A, O, and U 
(X bypassing the wheels). 

Alphabetic ordering of the keys. 

Three rotors are chosen out of five available ones. 
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7.3.5 Introduction of the ‘Steckerverbindung’. On July 15, 1928, 
the Polish Cipher Bureau for the first time picked up ENIGMA-enciphered 
radio signals from the Reichswehr. The German Reichsmarine had started 
experiments in 1925 with a 28-contact 3-rotor ENIGMA ( Funkschliissel C, 


0 He wrote: “Der Transport der Zwischenleitungstrager kann auch, wie bei Zahlwerken 
[like that of counters], so erfolgen, dafi z.B. Rotor 7 nach jeder vollen Umdrehung 
Rotor 8 um einen Zahn weiterdreht, diese wieder in gleicher Weise Rotor 9 usw.” 
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Febr. 1926, Fig. 59) with an alphabetically ordered keyboard comprising addi¬ 
tional characters A, O, and U (X bypassed). The reflector could now be inser¬ 
ted in four fixed positions, denoted by a, . In 1933, minor modifications 
were made to the Funkschliissel C ; a 28-contact version including A, U was in 
test use. In the Reichswehr models ENIGMA G (introduced on July 1,1928 
under Major, later Generaloberst, Rudolf Schmidt, 1925-1928 head of the 
Reichswehr Chiffrier-Stelle —his brother Hans-Thilo Schmidt turned out to be 
a spy) and ENIGMA I (1930) there were again only 26 contacts and a key¬ 
board similar to that of the standard German typewriter (up to the position of 
the letter P); the connections from the keys to the contacts of the stator were 
in alphabetic order. The reflector had one fixed position. There was also an 
ENIGMA II with a typewriter; it was considered unpractical and little used. 

Because of the cyclometric movement of the rotors, the middle and the slow 
rotor are at rest during N steps of the fast rotor. If now a sufficiently long 
fragment of ciphertext or codetext and corresponding plaintext were known 
or could be guessed, there was a possibility for code breaking. 

Therefore, the ENIGMA I of the Heer (introduced June 1,1930), which be¬ 
came later the common Wehrmacht ENIGMA, was protected by adding a 
plugboard that provided for an additional (unnecessarily self-reciprocal) en¬ 
try substitution T , called the Steckerverbindung (cross-plugging), and corre¬ 
spondingly an exit substitution T~ l . This resulted in the 

ENIGMA equation Ci = Pi T S (ili<3i<3 ) U T -1 

between plaintext characters pi and cryptotext characters Cj ; there was an 
isomorphism (Sect. 2.6.3) between Ci T Si and P i T Si , since 

G T ^(11,12 J3) Pi ^ 22J3) ‘ 

7.3.6 The ‘Wehrmacht’ version. When in 1934 the Reichsmarine and the 
Heer agreed on a common version ( Wehrmacht ENIGMA, ‘Service Enigma’), 
it was under pressure from Colonel Erich Fellgiebel (1886 -1944), later (from 
1939) Major-General and Chief, OKW Signal Communications (Fig. 60). 

The three rotors of the Reichsmarine (its name was changed in 1935 to Kriegs- 
marine) ENIGMA ( Funkschliissel M, introduced in October 1934) could now 
be selected respectively from a set of five (1934), seven (1938), or eight (1939) 
rotors (moreover, they could be permuted). They were marked with the ro¬ 
man numerals I,... ,VHI. Before December 15, 1938, the Army (Heer) released 
only three of the five rotors provided for their ENIGMA. The Air Force, too, 
introduced on August 1,1935 the Wehrmacht ENIGMA for its new Luftnach- 
richtentruppe. Removing the exchangeable three rotors is shown in Fig. 61. 

The railroad company ( Deutsche Reichsbahn), the Post Office ( Deutsche 
Reichspost ), and the Sicherheitsdienst (SD, “security service”, from Septem¬ 
ber 1,1937) used less-secure older models without a Steckerbrett (plugboard), 
although, for example, messages concerning railroad transports in Russia 
were liable to give many clues to the enemy. 
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Fig. 60. 3-rotor Wehrmacht ENIGMA (1937) 
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Fig. 61. 

The three removable rotors 
of the Wehrmacht ENIGMA (1937) 

The reflector (presumably marked “A”) of the Wehrmacht ENIGMA was 
replaced on November 1,1937 by Umkehrwalze u B”. In mid-1940, “C” turned 
up, was rarely used and was withdrawn later. Then a ‘pluggable’ reflector 
“D”, which could be rewired, was first observed on January 2, 1944 in traffic 
to and from Norway. Fig. 62 shows a cipher document from 1944 of the Luft¬ 
waffe ENIGMA, indicating that in 1944 the reflector “D” (Dora) was changed 
every 10 days and that some Steckerverbindungen were changed every 8 hours. 
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Fig. 62. Cipher document No. 2744 of the Luftwaffe ENIGMA, presumably for 

September 1944, showing a column ‘ Steckerverbindungen an der Umkehrwalze 1 

A special device, the Uhr box (Plate M) was introduced in 1944 to replace the 
steckering of the Wehrmacht ENIGMA plugboard by a non-selfreciprocal sub¬ 
stitution, which also could be changed easily by turning the knob (presumably 
every hour). Despite the extra security it added, it was not widely used. 
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The rotors could be inserted in arbitrary order into the ENIGMA. Until the 
end of 1935, this wheel order (German Walzenlage) and the cross-plugging 
(German Steckerverbindung) were fixed for three months. Beginning Jan¬ 
uary 1, 1936, they changed every month; from October 1, 1936, every day. 
Later, during the Second World War, they were changed every eight hours. 
The question is, why not earlier? 

Another invention Paul Bernstein made already for the early ENIGMAs did 
not develop into a cryptological fiasco: The ring which allowed the rotor 
position (alphabet ring, index ring, German Sperr-Ring ) to be read was made 
movable, like a tyre mounted round the rim of the rotor core, and its position 
with respect to the core, the ring setting (German Ringstellung) , could be 
fixed with a pin, see Plate K . Starting with the ENIGMA I, the ratchet notch 
was rigidly affixed to the alphabet ring (Korn). This gave increased security. 

7.3.7 The 4-rotor ENIGMA of the Navy. The Kriegsmarine, as it was 
renamed in 1935, always suspicious that its Funkschliissel M 3 could be com¬ 
promised, introduced on February 1, 1942 for the key net TRITON a new ver¬ 
sion Funkschliissel M4 (Plate I), with a fourth rotor marked (3 and therefore 
called Griechenwalze. The extra rotor could be set, but was not moved during 
encryption. The 4-rotor ENIGMA M4 was first used only by the U-boats in 
the Atlantic. By July 1, 1943, an additional rotor 7 came into use. To ensure 
compatibility of the new 4-rotor ENIGMA with the old 3-rotor ENIGMA, the 
old reflector “B” or “C” was split into a fixed thin reflecting disk “B thin” or 
“C thin” and the turnable additional rotor (3 or 7, respectively . 6 A mixed 
combination “B thin” and 7 or “C thin” and (3 occurred occasionally. 
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Fig. 63. From the Wehrmacht ENIGMA operating manual, dated June 8, 1937. Setting 
the ring position and rotor order were in the Navy the prerogative of an officer. 
(Basic wheel setting was later expressed by letters, A = 01, B = 02, etc.) 


6 Rohwer presumed in 1978 a further ‘Greek rotor’ a ; Deavours and Kruh (1985) followed 
him. To this David Kahn: “No a rotor was ever recovered”. In fact, splitting the 
reflector “A”, which had disappeared in 1937, did not make sense. 
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7.3.8 ENIGMA operating manual. Figure 63 shows a section from the 
ENIGMA operating manual of 1937, with the daily changing rotor order, 
ring settings, and cross-pluggings. The Grundstellung (basic wheel setting) 
characterizes the situation of the three rotors when enciphering is started. 
The Kenngruppen had no proper cryptological meaning. 

With 6 (Heer from 1934), 60 (Navy from 1934, Heer and Luftwaffe from 1938), 
or 336 (Navy from 1939) different rotor orders, with 26 3 =17576 different ring 
settings, and with 1.51 TO 14 different cross-pluggings when using 10 stecker, 
the number of variations of the ‘external’ key tokens was so big that naive 
people in the Wehrmacht staff had been deeply impressed. 

The Grundstellung was set out in a key list and was to be used for every 
single message, but the message setting ( Spruchschlussel ) was not determined 
a priori, but dealt with by a key negotiation, as discussed below. To use the 
ENIGMA for this purpose was understandable, since the ENIGMA machine 
was considered invincible; and was possibly considered by the authorities 
as particularly clever, though an enciphering of higher security would have 
been necessary. But neither Heer nor Luftwaffe even provided for additional 
measures to protect the enciphered Spruchschlussel ; only the Navy used (from 
1937) a bigram superencipherment on the basis of bigram tables (Sect. 4.1.3). 
Until 1938 the following procedure held: With a general daily key, comprising 
the rotor order, the cross-plugging, the ring setting, and the general basic 
wheel setting of the three rotors, the sender chose ‘at random’ a 3-letter group, 
enciphered it with the general basic wheel setting, and sent this “enciphered 
indicator”; the recipient deciphered it and it served on both sides as the 
Spruchschlussel (“plain indicator”) for the message that followed. 

But to prevent garbling in the case of noisy wireless transmissions, the 
Spruchschlussel was first doubled, and the resulting 6-letter group was en¬ 
ciphered with the general basic wheel setting, a precaution that had al¬ 
ready been recommended by Chiffriermaschinen A.G. for the commercial 
ENIGMA C. 

The feeling (or hints obtained by intelligence) that this key negotiation was 
not or was no longer safe precipitated a new procedure, introduced on Septem¬ 
ber 15,1938. No longer was a general basic wheel setting used for the whole 
day, but every message preamble contained a freely chosen 3-letter group 
basic wheel setting transmitted in plain 7 , followed by the Spruchschlussel 
(‘indicator’), still doubled and enciphered with this basic wheel setting. 

To give an example: If a transmission starts with RTJWA HWIK. ..., then rtj 
is the plain basic wheel setting and WAHWIK is the doubled indicator enci¬ 
phered with this basic wheel setting. The recipient determines with rtj from 
WAHWIK the doubled plain indicator (which is to have the pattern 123123)] 
the message is deciphered with the first three letters as the indicator. 

' The daily changing of the Ringstellung made this transmission as secure (or insecure) 
as the previous use of the daily-changing general basic wheel setting. 
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Unfortunately, the new procedure did not remove the weakness of the old 
one: The doubling was continued, and this meant a dependence among the 
first and the fourth, the second and the fifth, and the third and the sixth 
letter, and offered a possibility for a break. Not until May 1, 1940 was 
the weakness eliminated 8 . That the indicator doubling was unnecessary was 
confirmed when the wireless traffic still ran smoothly. The damage, however, 
had already occurred and was irreparable. 

Misgivings that the ENIGMA enciphering was no longer secure arose within 
the German leadership, in particular that of the Navy, now and then in the 
course of the war. However, the warnings were repeatedly diverted; merely 
half-hearted steps were taken, like the introduction of the variable wiring of 
the pluggable reflector or the ‘Uhr’, and this rather lately. 

7.3.9 Dissemination of rotor machines. The Heer used ENIGMAs from 
regiments upwards. An estimated total of 200 000 (Johnson) is certainly far 
too high; 30 000 is a low estimate given by Deavours and Kruh. Erskine states 
that at least 41000 were built. A total of nearly 50 000 may be right. After 
the Second World War, the victorious countries sold captured ENIGMA ma¬ 
chines, at that time still widely thought to be secure, to developing countries. 
In Britain, too, rotor machines were used in the Second World War: TYPEX, 
developed since 1934 by O.G.W. Lywoocl et al. as a private venture, was 
quite an improved version of the commercial ENIGMA—some models had 
a pluggable reflector, and instead of the plugboard there was an entrance 
substitution performed by two fixed rotors, wisely not self-reciprocal, see 
Sect. 22.2.7 but the disastrous reflector (see Sect. 7.3.3) was not abolished. 
In the USA, under the early influence of William Friedman (1891-1969) and 
on the basis of the Hebern development, there was in the early 1930s a more 
independent line of rotor machines, leading in 1933 to the M-134-T2, then 
to the M-134-A (SIGMYC), and in 1936 to the M-134-C (SIGABA) of the 
Army, named CSP889 (ECM MarkII) by the Navy (for CCM, see Sect. 8.5.5). 
The Germans obviously did not succeed in breaking the SIGABA, which had 
5 turning cipher rotors with irregular movements (see Sect. 8.5.5). It had 
been made watertight by Frank Rowlett (1908-1998), Friedman’s colleague. 
An interesting postwar variant of the ENIGMA with seven rotors and a fixed 
reflector was built and marketed by the Italian company Ottico Meccanica 
Italiana (OMI) in Rome. The Swiss army and diplomatic corps used from 
1947 on an ENIGMA variant NEMA ( l Neue Maschine ’) Modell 45, developed 
by Hugo Hadwiger (1908-1981), Heinrich Weber (1908-1997) and Paul Glur, 
built by Zellweger A.G., Uster. It had ten rotors: four (out of six) enciphering 
ones and a reflector, the other ones served for rotor movement only. 

Based on US experiences, and similar to TYPEX, was the rotor machine 
KL-7 of NATO (see Sect. 8.5.4), in use until the 1960s. 


The enciphering of the doubled indicator was continued for the 4-rotor Abwehr ENIGMA 
(a version of the ENIGMA G) until January 1, 1944, when some improvement was made. 
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An exceptional role was played by the German Abwehr, the Intelligence Ser¬ 
vice of the German Armed Forces, as far as ENIGMA goes: It used a ver¬ 
sion of the old 3-rotor ENIGMA G of 1928 with a pinion/cog-wheel move¬ 
ment of the rotors, with 11, 15 and 17 notches on the index rings (‘11-15- 
17 ENIGMA’), and naturally without a plugboard—following rather closely 
Willi Korn’s German Patents No. 534947 (1928) and No. 524 754 (1929). 

A few specimens of a 3-rotor ENIGMA (‘ENIGMA T’), likewise without a 
plugboard, but with five-notched rotors were destined for the Japanese Navy, 
but did not get out of the harbour and were captured by the Allies in Brittany. 

7.3.10 Substitutions of rotors, reflectors and stators. 

Wehrmacht ENIGMA (Cipher A. Deavours, Louis Kruh, Ralph Erskine, 
Frode Weierud, Philip Marks): 

Respective entry ABCDEFGH I JKLMNOPQRSTU VWX Y Z Notch 
Exits: Rotor I EKMF LGDQVZNT OWY HXUSPAIBRCJ Y~ 

Rotor II AJDKS IRUXBLHWTMCQGZNPYFVOE M 

Rotor III BDFHJLCPRTXVZNYEIWGAKMUSQO D 

Rotor IV ESOVPZ JAYQU I RHXLNFTGKDC MW B R 

Rotor V V Z B RG I T Y U P S D N H L X AWM J Q O F E C K H 

Rotor VI JPGVOUMFYQBENHZRDKASXL ICTW H, U 
Rotor VH N Z J H G R C XM Y S WB O U F A I V L P E K Q D T H, U 

Rotor VIII F K Q H T L X O C B J S P D Z R AMEWN I U Y G V H, U 

Reflector A E JMZ AL YXVBWFCRQUONT S P I KHGD 

Reflector B YRUHQ S LDPXNGOKM I E B F Z CWV J A T 

Reflector C FVPJ IAOYEDRZ XWG CTKUQS BNMHL 
Rotor (3 LEYJVCNI XWP BQMDRTAKZGFUHOS 
Reflector B thin ENKQAUYWJ I COPBLMDXZVFTHRGS 
Rotor 7 FSOKANUERHMBTI YCWLQPZXVG JD 
Reflector Cthin RDOB J NTKVEHML FCWZAXGY I PSUQ 
Stator abcde fghi j klmnopqrstuvwxyz 

Note: j3, followed by B thin, followed by /5 1 , equals B ; 
e.g., (3{ A) = L, B thin(L) = O , /3 -1 (0) = Y; thus B(A) = Y. 

ENIGMA D (National Archives Record Group No. 457, Heinz Ulbricht): 
Respective entry ABCDEFGH I JKLMNOPQRSTU VWX Y Z Notch 
Exits: Rotor I H RWY I PCGVXL AFU J BKODT SMZNQE g”~ 

Rotor If S EWYMG D L O I U B T XK V J P A F Z C N H R Q M 

Rotor III LVADZPCGYBHXQSUETKFI J WM O R N V 

Reflector I METCGFRAYSQB ZXWLHKDVUPO J N 

Stator qwe r t zu i oasd f g h j kpyxcvbnml 

Reichsbahn ENIGMA (David Hamer, Geoff Sullivan, Frode Weierud): 
Respective entry ABCDEFGH I JKLMNOPQRSTU VWX Y Z Notch 
Exits: Rotor I JGDQOXUSCAMI FRVTPN EWK B L Z Y H V~ 

Rotor n NTZPSFBOK MWR CJDIVLAEYUXHGQ M 

Rotor m J V I U B H T C D Y A K E Q Z P O S GX N RMWF L G 

Reflector QYHOGNECVPUZTFD J A XWM K I S R B L 

Stator qwe r t zu i oasd f g h j kpyxcvbnml 
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Swiss ENIGMA K (David H. Hamer, Geoff Sullivan, Frode Weierud): 
Respective entry ABCDEFGH I JKLMNOPQRSTUVWXYZ Notch 


Exits: Rotor I 
Rotor II 
Rotor IH 
Reflector 
Stator 


PEZUOHXSCVFMTBGLRINQJWAYDK 
ZOUE SYDKFWPC I QXHMVBLGN J RAT 
EHRVXGAOBQU S IMZFLY NWKT P D J C 
IMETCGFRAYSQBZXWL HKDVUPOJN 
qwertzuioasdfghjkpyxcvbnml 


G 

M 

V 


ENIGMAT (‘Tirpitz’) (David Hamer, Geoff Sullivan, Frode Weierud): 
Respective entry ABCDEFGH I JKLMNOPQRSTUVWXYZ Notches 


Exits: Rotor I 
Rotor II 
Rotor III 
Rotor IV 
Rotor V 
Rotor VI 
Rotor VH 
Rotor Vm 
Reflector 
Stator 


KPTYUELOCVGRFQDAN JMBS WH Z X I EHMSY 
UPHZLWEQMTD JXCAKSO I GVBYFNR EHNTZ 
QUDLYRFEKONVZA XWHMG P J B S I C T EHMSY 
C IWTBKXNRESPFLYDAGVHQUOJ ZM EHNTZ 
UAXGI SN J BVERDYLF ZWTPCKOHMQ GKNSZ 
XFUZGALVHCNYSEWQTDMRBKPIOJFMQUY 
B JVFTXPLNAYOZ I KWG DQERUCHSM GKNSZ 
YMT P N Z HWK ODAJXELUQVGCB I SFR FMQUY 
GEKPBTAUMOCN I L JDXZYF HWV QSR 
kzrouqhyaigblwvstdxfpnmcje 


Abwehr ENIGMA No. G-312, version of ENIGMA G (David H. Hamer): 
Respective entry ABCDEFGH I JKLMNOPQRSTUVWXYZ 


Exits: Rotor I 
Rotor A 
Rotor in 
Reflector 
Stator 


DMTWS I LRUYQNKFE J CAZBPGXOHV 
HQZGPJTMOBLNCI FDYAWVEU SRKX 
UQNTL S Z FMREHDPXK I BVYGJ CWO A 
RULQMZ J SYGOCETKWDAHNBXPV I F 
qwertzuioasdfghjkpyxcvbnml 


Note: ‘Notch’ stands for ‘location of the notch with respect to the listed alphabet letter on 
the index ring’. ENIGMA G-312 (‘11-15-17 machine’) is multi-notched in the following way 


ABCDEFGHIJKLMNOPQRSTUVWXYZ 
Rotor I * * * * * * * * * * * * * * * * * 

Rotor fl * * * * * * * * * * * * * * * 

Rotor IH * * * * * * * * * * * 

All wiring measures are made—per convention—with Ringstellung ‘A’ (Hamer). 


7.3.11 Cycle decompositions. The rotors of the ENIGMA D, the Wehr- 
macht ENIGMA, and some others show the following cycle decompositions 
of the substitutions, which simplify identification: 


ENIGMA D 


Wehrmacht ENIGMA 


Rotor I 25+1 
Rotor H 17+7+2 
Rotor m 19+6+1 

Reichsbahn ENIGMA 

Rotor I 13+8+2+2+1 
Rotor n 15+8+2+1 
Rotor m 15+10+1 


Rotor I 10+4+4+3+2+2+1 

Rotorn 8+7+3+2+2+2+1+1 

Rotor HI 17+8+1 

Rotor IV 22+2+2 

Rotor V 11+9+6 

Rotor VI 14+8+4 

Rotor VH 26 

Rotor Vm 17+3+3+3 
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Swiss ENIGMA K 


Abwehr ENIGMA No. G-312 


Rotor I 26 
Rotor II 21+3+2 
Rotor H 14+10+2 


Rotor I 20+6 
Rotor II 10+7+7+2 
Rotor IH 22+4 


7.3.12 Listing of the rotated ENIGMA alphabets. For the derivation 
of the rotated alphabets see 7.2.2. For example, rotor I of the Wehrmacht 
ENIGMA generates the following rotated alphabets (with ring setting A for 
core position i = 0 in Sect. 7.2.2, (b°): 


Ring setting i abcdefghijklmnopqrstuvwxyz 


A 

0 

B 

l 

C 

2 

D 

3 

E 

4 

F 

5 

G 

6 

H 

7 

I 

8 

J 

9 

K 

10 

L 

11 

M 

12 

N 

13 

0 

14 

P 

15 

Q 

16 

R 

17 

S 

18 

T 

19 

U 

20 

V 

21 

w 

22 

X 

23 

Y 

24 

Z 

25 


E KM FLGDQVZNTOWYHXU S PA I BRCJ 
J LEKFCPUYMSNVXGWTRO Z HAQBI D 
KDJ EBOTXLRMUWFV S QNYG Z PAHC I 
CIDANSWKQLTVEURPMXFYOZGBHJ 
HCZMRVJ PKSUDTQO LWEXNYFAGI B 
BYLQU I O JRTCS PNKVDWM X E Z F HA G 
XKPTHN I QSBROMJ UCVLWDYEGZFA 
JOSGMHPRAQNL I TBUKVCXDFYEZW 
NRFLGOQZPMKHS AT J UBWCEXDYV I 
QEKFNPYOL JGRZ S ITAVBDWCXUHM 
DJEMOXNKI FQYRHS ZUACVBWTGLP 
I D L N WMJ HEPXQGRYT Z BUAV S FKOC 
CKMVLIGDOWPFQXSYATZUREJNBH 
J LUKHFCNVOEPWRX Z SYTQD I MAG B 
KTJ GEBMUNDOVQWYRX S PCHLZ F A I 
S I FDALTMCNUPVXQWROBGKYEZHJ 
HECZKS LBMZ O UW P VQNAF JXDYGIR 
DBY J RKALSNTVOUPMZ E IWCXFHQG 
AX I Q J Z KRM SUNTOLYDHVBWEGPFC 
WH P I Y J QLRTMSNKXCGUAVDFOEBZ 
GOHXI PKQS LRMJWBFT ZU CENDAYV 
N GW H O J PRKQL I V AE S YTBDMC ZXUF 
FVGNIOQJPKHUZDRXSACLBYWTEM 
UFMHNP I OJ GTYCQWRZ BKAXVSDLE 
ELGMOHN I F SXBPVQYA J ZWURCKDT 
KFLNGMHERWAO UPXZ IYVTQBJCSD 


Rotor I of the Wehrmacht ENIGMA generates the cycles 

A: (aeltphqxru) ( bknw) ( c mo y ) ( cl f g ) ( i v ) ( j z ) ( s ) 

B: ( z d k s o g pwq t ) ( a j mv) (blnx) (c e f ) ( h u ) ( i y ) ( r ) 

C: ( ycj r nf ovps ) ( z i 1 u) ( a km w) ( b cl e ) ( g t) ( h x ) ( q ) 

D: ( x b i q me n u o r ) ( y h k t ) ( z j 1 v ) ( a c cl) ( f s ) (gw) ( p ) 

E: (wahpl dmt nq) (xgj s) (yi k u) (zbc) ( e r ) ( f v) (o) 

Y: (dhowsktaux) (enqz) (fprb) (gij ) ( 1y) (me) (v) 

Y: (cgnvrj sztw) (dmpy) (e o q a) ( f hi ) (k x) ( lb) (u) 

Z: (bfmuqirysv) (clox) (clnpz) (egh) (j w) ( k a) ( t) 
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7.4 Shifted Standard Alphabets: Vigenere and Beaufort 

Referring to Sect. 7.2.1, choosing in (a') P = p, gives {p l p : i € IN}, the set 
of horizontally shifted standard alphabets, which coincides, see (a°), with 
the set {p l : * e IN} of powers of the standard alphabet, and, likewise, see 
(a"), with the set of vertically continued standard alphabets. This case was 
treated by the Benedictine abbot Johannes Heidenberg from Trittenheim on 
the Moselle river, latinized Trithemius (1462-1516), in the fifth book of his 
Polygraphiae in a standard regular table (''tabula recta’, Fig. 64, French table 
reguliere). For its mechanization, a Silvestri disk (Fig. 26) can be used, which 
carries also on the inner ring the standard alphabet, as well as a disk with the 
cycle p of the standard alphabet and a movable window, since powers are 
to be formed. The literature speaks of VIGENERE encryption steps. More 
correctly, this trivial case should be named after Trithemius. The secondary 
literature of the 19th century was unjust to Vigenere insofar as only shifted 
standard alphabets were connected with his name, while his proposal actually 
was not limited to this: Vigenere wrote in the table heading of a tabula recta 
a mixed alphabet; obviously this was equivalent to Alberti’s disk. 

The set {p l : i £ IN} is implemented electrically by a half-rotor (Fig. 51). 

Rcchtranfpoficiomstabub. 

abcdc fgbiklmnopqrs t u x y ; v 

be d e fgi& iklmnopqrs uxjf ju 
cdefgbiklmnopqrs t u x y j w a b 
defgbiklmnopqrstuxyj'wabc 
c fgbiklmnopqrs cuxyjwabcd 
fgbiklmnopqrs tuxyjwabcdc 
gbiklmnopqrs tuxyjvabcdef 
b iklmnopqrs luxyj»abcdc f g 
iklmnopqrs tuxyjwabcde fgb 
klmnopqrs tuxyjvabcdc f g d i 
Imnopqrs tuxyjwabcdcfgbik 
innopqrstuxyjvabcdefebikl 
nopqrs tuxyjwabcdc f gb i k l m 
opqrstuxyjtibcdefgbiklmn 
pqrstnxyjwabcdcfgbiklmno 
qrstuxyjvibcdefgbiklmnop 
rs tuxyjvabcdc fgbiklmnopq 
s tnxyjwabcde fgbiklmnopq,- 
tuxyjwabcdefgbiklmriopqrs 
uxyjtrabcde fgb iklmnopqrs c 
xyj-wabede fgb iklmnopqrs tu 
y jvabede fgb i klmnopqrs tux 
; *ib c d c f g b I k Imnopqrs tax/ 
wabede fgbiklmnopqrs tuxy; 

Fig. 64. 1 tabula recta’’ of Trithemius 

(Original in the State Library Munich) 
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7.4.1 VIGENERE. Evidently, a VIGENERE encryption step is a linear 
substitution: The cycle p defines the linear cyclic quasiordering of V n and 
thus an addition modulo N n (Chap. 5); the set of alphabets {p l : i £ IN} cor¬ 
responds to the addition of shift numbers A k (French: nombre de decalage): 

N n 

: keZ N n} with A k : A k (x) = y ~ x+k. 

— 1 —1 iV n 

The decryption step A k : A k (y) = x ~ y — k 

amounts to a subtraction of the shift number. The case n= 1 is predominant. 
Such ‘cryptographic equations’ were used about 1846 by Charles Babbage 
(British Museum, Add. Ms. 37205, Folio 59), but he did not publish them. 

VIGENERE encryption comes sometimes in disguise: In 1913, when Woodrow 
Wilson was President, the US State Department and the US Army introduced 
a VIGENERE variant named ‘Larrabee’, using twenty-six cards, each one 
showing the standard plaintext alphabet Z 2 e and the cryptotext alphabet 
obtained by adding the shift number (the ‘additive’). The Italian cifrario tas- 
cabile (Sect. 2.4.1) also amounts to a disguised VIGENERE: It is a polyalpha- 
betic iv 36 y- Z \ 0 with shifted standard alphabets and with keys from Z 2 § . 

A ‘variant’, attributed by Caspar Schott in the Schola steganographia (1659) 
to his contemporary Count Gronsfeld turns out to be nothing more than a 
truncated VIGENERE, using only ten alphabets, which were designated by 
the figures 0,..., 9 . Cryptographically this brings nothing but disadvantages. 
Jules Verne describes it in his novel La Jangada, 1881. A group of French anar¬ 
chists used it in 1892, and the cipher was broken by Etienne Bazeries. Ludwig 
Foppl (1887-1976), in 1915, broke the Gronsfeld ciphers of the Royal Navy. 
Lewis Carroll had a VIGENERE with five alphabets, designated by a, e, i, o, u. 

7.4.2 BEAUFORT. The case of fixed q = q' = N n — 1 yields the family 

N n 

{B k : k £ Zjv„} with B k : B k (x) = y ~ k — x. 

The literature calls this BEAUFORT encryption, although it was studied 
already by Giovanni Sestri in 1710 and rediscovered in 1857 by Admiral Sir 
Francis Beaufort (1774-1857), who is famous for the scale of wind speed. 

The decryption step B k : B k (y) = x ~ k — y 

coincides with the encryption step, so the BEAUFORT encryption step (the 
‘subtractor’ step) is self-reciprocal (Kahn: ‘reciprocal within itself’) but not 

N n N n 

properly: x is fixpoint of B k , if and only if k—x ~ x, i.e., x+x = 2-x ~ k. 

In the classical cases of VIGENERE and BEAUFORT encryption steps, 
naturally n = 1. Incidentally, it was de Viaris , a man oriented towards 
mathematics, who in 1888 published the interpretation of the VIGENERE 


JV" 


x + y — k ~ 0 


N n 

x — y + k ~ 0 


9 


Marquis Gaetan Henri Leon de Viaris, 1847-1901, French cryptologist. De Viaris inven¬ 
ted in about 1885 one of the first printing cipher machines—according to Kahn, the very 
first were invented presumably before 1874 by Emile Vinay and Joseph Gaussin. 
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and BEAUFORT encryption steps as addition and subtraction modulo N , 
after Kercklroffs in 1883 (without knowing of the studies of Babbage) had 
shown the mathematical relations between VIGENERE and BEAUFORT. 
Before this time, and partly even later, the processes had been explained by 
the slides which were in practical use ( Saint-Cyr slide). 

With any fixed slide position, a VIGENERE encryption step turns into a 
normal CAESAR encryption step, while a BEAUFORT encryption step turns 
into a CAESAR encryption step for the reversed alphabet. 

7.4.3 INVERSE KEY VIGENERE. In the English literature the 
inverse key VIGENERE (encryption step and decryption step interchanged) 

N n 

{Ek ■ k £ ZjYn} with Ek : £ l / c ( x) = y ~ x—k (= x+(—k) = —(k—x)) 

. . jv n W " 

and the decryption step E k : E k (y) = x ~ y + k x — y — kes 0 

is also called ‘variant Beaufort’ (Gaines); in French, ‘variante a Vallemande ’. 
It was proposed in 1858 by Lewis Carroll and described in 1888 by de Viaris. 

7.4.4 INVERSE KEY BEAUFORT. The self-reciprocal inverse key 

N n N n 

BEAUFORT fy, : Ffe(a;) = y = ~ —k — x=—(k + x), x + y + k ~ 0 
also described by de Viaris and by Hill, was rediscovered and named ‘variant 
Vigenere’ in 1972 by Ole I. Franksen. It is also named ‘U.S.Army’ (C. Pierce). 

7.4.5 BELLASO and PORTA. Before 1553, Giovan Batista Bellaso pro¬ 
posed splitting a mixed primary alphabet with an even number N = 2v of 
characters into two halves; forming v pairs defines a properly self-reciprocal 
substitution. By shifting the second half of the pairs, a family of up to v sub¬ 
stitutions is generated. Bellaso gave an example for V=Z 2 q with five such 
substitutions (BELLASO encryption steps), designated homophonically by 
20 key letters arranged in quads. 

Giambattista Della Porta (Giovanni Battista Porta), in 1563, used a stan¬ 
dard primary alphabet V=Z 2 2 and 11 such substitution alphabets (PORTA 
encryption steps) designated homophonically by 22 key letters arranged in 
pairs (Fig. 65). A similar arrangement with ten alphabets, and V=Z 2 q, was 
used in 1589 by G. B. and M. Argenti (see Fig. 82). However, a system of 
PORTA encryption steps is not as safe as a system of BELLASO encryption 
steps—similarly for a system of VIGENERE steps versus ALBERTI steps. 

7.4.6 EYRAUD. Another family of accompanying encryption steps, in¬ 
volving decimation, is suggested in Sect. 5.6 (EYRAUD encryption steps) 

N n 

{C q : q € Z. N n A gcd(q, N n ) = 1 } with C q : C q (x) ~ q ■ x . 

N n N n 

The decryption step, using q' such that q-q' ~ 1, is C q : Cq(x) ~ q' -x . 
This is the family of decimated alphabets (French alphabets chevauchants, 
Eyraud), the properly decimated alphabets are those with |q| ^ 1 . 

The most general linear substitution in the ring Z. Nn is a composition of 
VIGENERE and EYRAUD encryption steps: 

N n 

T q>i : Tq ti (x ) ~ q-x + i = Ai(C q (x)). 
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Fig. 65. 

Eleven self-reciprocal 
alphabets for PORTA 
encryption 


7.5 Unrelated Alphabets 

Della Porta robbed himself of the fame of being the inventor of a general 
polyalphabetic substitution based on a number 9 (0 < ( N n )!) of ‘mutually 
unrelated (independent)’ mixed alphabets, that is to say, of alphabets which 
are not related one to another in any such a simple algebraic way as shift 
or similarity transformation (Kahn: “The order of the letters in the tableau 
may be arranged arbitrarily, provided no letter is omitted”). 

7.5.1 PERMUTE. Although Porta described in his Be furtivis literarum 
notis this case of several mixed alphabets (French alphabets incoherents , Ger¬ 
man unabhangige Alphabets), he did not illustrate it except with shifted self¬ 
reciprocal alphabets like the ones in Fig. 65. Eyraud is inclined to give this 
glory solely to the Frenchman Vigenere. Likewise, Luigi Sacco, author of 
the excellent Manuale di crittografia (3rd ed., Rome 1947), favored Italy 
(“trying to prove that everything was Italian first”, Kahn). Charles J. Mendel¬ 
sohn (1880-1939), who was beyond favoritism, praised Porta as “the outstan¬ 
ding cryptographer of the Renaissance.” When dealing with most general 
permutations, we shall speak of a family of PERMUTE encryption steps. 

A table for general polyalphabetic substitution with unrelated alphabets 
could look like this (note the construction principle from a key phrase, namely, 

passwords serve to select a method from a class of methods and keys 

especially to select encryptions se... , forming groups of, say, ten letters): 
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chap t e r lvnbcl fgi j kmoqsuwxyz 
C PASWORDEVTB CFGH I J K LMNQUXYZ 

R NPQRUVWXYZOSELCTAMHDBFG I JK 

Y LSETBDGHIJKNPQUVWXYZFROMAC 

P VWXZHODSANKEYPBCFGIJLMQRTU 

T FGH J KMPQRUVWXZECI ALYTOSNBD 

O YPT I ON SEABD FGHJKL MQUVWX Z CR 


7.5.2 Gripenstierna. General polyalphabetic substitution with unrelated 
alphabets is present in the little known ciphering device of 1786, built by 
the Swedish baron Fredrik Gripenstierna (1728-1804) for King Gustav HI 
of Sweden (Fig. 66), reconstructed by Crypto AG, Zug (Switzerland) from 
documents discovered by Sven Wasstrom in the State Archive Stockholm. 
The device had 57 disks, each one for a different (fixed) bipartite simple 

substitution Z 2 e - Ziq . Considered as a polygraphic substitution with a 

width of 57, permutation of the disks gave the family the immense number of 
57! « 4.05 • 10 76 alphabets. Even if used with unchanged order of the disks 
for a message of several hundred characters or for several such messages, the 
cryptosystem was far better than anything else around at that time. 
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Likewise, in 1799, the Roman Catholic priest Johann Baptist Andres (1770- 
1823) described the use of a table with 26 unrelated mixed alphabets, to be 
selected periodically according to a key. 

In 1915, the Swedish inventor Arvicl Damm conceived a device somewhat 
along these lines, using a number of exchangeable bands with unrelated mixed 
alphabets in an arrangement on a drum parallel to its axis (A-21: Fig. 67). 
Next to the bands was a straight edge for the plaintext alphabet; after each 
step the drum was moved one step. The straight edge for the plaintext 
alphabet could be brought into two positions, which were changed with a 
relatively short period. This cryptosystem was far inferior to Gripenstierna’s. 



Fig. 67. A-21 (1915) by Arvid Damm (A.B. Cryptograph, Stockholm) 

Polyalphabetic encryption with unrelated alphabets was used in the First 
World War by a German radio station for messages to a sabotage group in 
North Africa (“fur GOD” system), as well as by the US Air Force and the 
Royal Air Force in the Second World War for air-ground traffic (SYKO)—and 
on both occasions it was insecure. SYKO consisted of thirty self-reciprocal 
alphabets, printed on cards—the same old “Larrabee” idea (Sect. 7.4.1). The 
alphabets were used in some cyclic order—the encipherer using an indicator 
(‘pointer’) to define the beginning—for a whole day. That was far too long 
and was the reason for the weakness of an otherwise good system. 

7.5.3 MULTIPLEX. Restricted to full cyclic per¬ 
mutations, polyalphabetic encryption with unrelated 
alphabets has found classical use in the form of a spe¬ 
cial ciphering device, the cylinder used by Jefferson 
(between 1790 and 1800) and reinvented in 1891 by 
Bazeries. The cyclic substitutions are represented one 
by one as a cycle at the rim of a thin cylinder (French 
rondelle). Jefferson ordered 36 such cylinders (each 
one with a mixed ^ 26 ) into a long cylinder; Bazeries 
used 20 cylinders (each one with a mixed Z 25 ),as 
shown by Fig. 19. 

The great cryptologist William Friedman called these 
families of unrelated cycles ‘multiplex systems.’ 


Thomas Jefferson 
(1743-1826) 
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Fig. 68. The twenty cycles of Bazeries 


Fourteen of the twenty cycles Bazeries used—they are found in Fig. 68 — 
originated from whimsical dicta, passwords like 

Allons enfants de la patrie, le jour de gloire est arrive 

Bienheureux les pauvres d’esprit, le royaume des Cieux 

Charybde et Scilla 

Dieu protege la France 

Evitez les courants d’air 

Formez les faisceaux 

Gloire immortelle de nos aieux 

Honneur et Patrie 

Instruisez la jeunesse 

J'aime Voignon frit a I’huile 

Kyrie eleison 

L ’homme propose et Dieu dispose 
Montez a cheval 
Nous tenons la clef 

Bazeries was not successful in convincing the French etat-major general to 
accept his invention—de Viaris (Sect. 14.3.1) succeeded in showing how to 
break messages encrypted with the cylinder if the alphabets were known, a 
realistic assumption in the military combat situation (Sect. 11.2.3). Appar¬ 
ently, Bazeries did not know that Jefferson long before had had the same 
idea, and most likely—he died in 1931, at the age of 85—he did not learn of 
the late vindication of his proposal in 1922 by the US Army. A device with 
thirteen cylinders was proposed in 1900 by the Italian Colonel Oliver Ducros. 
The cylinders of Jefferson and Bazeries allowed the encrypted text to be read 
off (Fig. 21) not only in the next, but in an arbitrarily chosen *-th line (the 
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“i-th generatrix”). Thus, the encryption was polyphonic. The authorized 
decryptor, after having set the cryptotext, simply looked for a line that struck 
the eye. For unauthorized decryption, this complication was less harmful than 
one would naively think (Sect. 14.3.1). 

Normally, the order of the cylinders was left unchanged for a whole message, 
even for several messages, or for a predetermined period, such as a day. 
Instead of cylinders, strips with a duplication of the alphabet can be used. 
Such a ciphering device was proposed in 1893 by the Frenchman Arthur 
J. Hermann. It was propagated in 1914 by Captain, later Colonel Parker 
Hitt, referring to Bazeries. He also had no success at first. Meanwhile, 
in 1917, Russell Willson, a naval lieutenant, also invented a strip device, 
the NCB (Navy Code Box), which was used in the US Navy at least until 
1935. But the US Army turned after all to the Jefferson cylinder; the famous 
M-94, introduced in 1922 under the influence of Friedman after substantial 
improvements had been made in the alphabets by Colonel Mauborgne 10 , 
then head of the Signal Corps’ research and engineering division. It had 25 
thin aluminum cylinders the size of a silver dollar, turning on a spindle 110 
mm long. The M-94 (Plate D, Fig. 69) was declared obsolete in 1943, when 
sufficient M-209s (Sect. 4.4.8) were available. 



Etienne Bazeries 


Parker Hitt 


Joseph O. Mauborgne 


In 1934, M-138, a strip version, was adopted; one hundred strips were avail¬ 
able and thirty were used at a time. The improved M-138-A from 1938 served 
military officers and diplomats. It was thought to be so secure from unautho¬ 
rized decryption that a radio signal from Roosevelt to Churchill, immediately 
after the Atlantic Conference in August 1941, was sent via M-138-A. This 
caused very much concern for the distrustful Roosevelt, who was cryptolo- 
gically experienced and used Navy cryptosystems ‘for matters of utmost 
secrecy’—Churchill was not well informed as far as encryption security goes. 
While the Japanese seemingly were not able to break the American strip 


10 It was the same Mauborgne who had in 1918 improved Vernam’s bitwise encryption 
through the introduction of endless and senseless keys (‘one-time keys’), see Sect. 8.8.2. 
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Fig. 69. Cryptographer 
assembling M-94 



cipher, the Germans did: Hans Rohrbach in 1944 (Sect. 14.3.6) broke it 
without having access to the alphabets. (His success did not last long, for 
soon afterwards the USA made a change to the SIGTOT Vernam-type ma¬ 
chines.) Plate E shows the version M-138-T4 with 25 strips used at a time. 
The US State Department system ‘0-2’ that Rohrbach had defeated used 
from fifty available strips thirty at a time, namely, two groups of fifteen 
strips each. Here was a risk: The total number of available strips should be 
considerably larger than the period, i.e., the number of strips used at a time. 

By the way, the US Navy used as a successor to the Cipher Box the ciphering 
device CSP 642, also with thirty strips. The Japanese seized some of these 
and took great pains to break messages, without success—presumably they 
had not studied the methods of de Viaris and Friedman (Sect. 14.3). 

For cylinder and strip cipher devices, we shall follow Friedman and denote 
the encryption steps as MULTIPLEX encryption steps. They are special, 
i.e., fully cyclic, PERMUTE encryption steps. 

7.5.4 The Latin square requirement. In the special case 9 < N it can 
be required that the N permuted alphabets of N characters each, written 
row by row, have the following property: in no column does a character 
occur more than once (Eyraud: ‘ alphabets reellement non-paralleles'). In the 
case 9 = N , the alphabets form a ‘Latin square’ in the sense that also in 
every column each character occurs just once. This requirement (with the 
insufficient justification that it allows the table to be turned around) was 
already mentioned in the Geheimschreibekunst of Johann Baptist Andres in 
1799 (see Sect. 7.5.2) who also gave an example with his table. The tabula 
recta trivially fulfills the requirement, but its alphabets are not unrelated. 
The requirement can be postulated for the permuted alphabets belonging to 
the cycles of a multiplex system (Sect. 7.5.3) with the effect of preventing the 
de Viaris attack (Sect. 14.3.1). Cycles derived from mnemonic passwords are 
unlikely to qualify, in fact the permuted alphabets belonging to the cycles 
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Table 2. The 20 permuted alphabets corresponding to the cycles of Bazeries 


of Bazeries (Table 2) show a peculiar effect: most columns have one or two 
letters occurring frequently. It is clear that many missing letters help to make 
a break. The alphabets belonging to the cycles of Bazeries—irrespective of 
how they are supplemented by five more—cannot give a Latin square. 

Usually, a standard alphabet of TV characters is chosen for the first row and 
for the first column of a Latin square. For TV = 2 and TV = 3 there are only 
the trivial solutions of a tabula recta, 

a b a b c 

b a b c a 

cab 


For TV = 4 there are, apart from the tabula recta, three more of these ‘re¬ 
duced’ Latin squares: 


abed 
b c cl a 

c d a b 

cl a b c 


abed 
b cl a c 

c a cl b 

cl c b a 


abed 
bade 
c d b a 
cl c a b 


abed 
bade 
c cl a b 
cl c b a 


The numbers grow fast: 56 for TV = 5 (L. Euler 1782), 9408 for TV = 6 
(M.Frolow 1890), 169 42080 for TV = 7 (A. Sade 1949), 53 52814 01856 for 
TV = 8 (M.B. Wells 1967). For TV = 9 there are 377 59757 09642 58816 re¬ 
duced Latin squares, as calculated by S. E. Bammel and J. Rothstein in 1975, 
For TV =10 there are 75807 2148316013 28114 89280 (E.Rogoyski 1990), for 
TV = 11 there are 5363 93777 32773 712981196735407 71840 reduced Latin 
squares (B. D. McKay and I. M. Wanless 2004). 
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Two examples of Latin squares with 7V = 10 and Zio = {0,1, 2,..., 9} are: 


0123456789 

1572890346 

2461389057 

3057248961 

4906135872 

5890724613 

6789013524 

7618902435 

8345671290 

9234567108 


0123456789 

1432098567 

2654309871 

3876540912 

4981765023 

5098217634 

6709832145 

7210984356 

8345671290 

9567123408 


Table 3 shows 26 alphabets attributed to Mauborgne. They almost form a 
Latin square for N = 26. Why Mauborgne provided for the three exceptions 
in alphabet 16 is unknown. 
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Table 3. Almost Latin square for N= 26 alphabets (Mauborgne). A cyclic permutation 
of the three boldface letters in line 16 establishes a correct Latin square. 


Note also that rotated alphabets (Sect. 7.2.2)—in contrast to shifted alpha¬ 
bets (Sect. 7.2.1)—usually (in particular for N > 6) do not form a Latin 
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square—see, for example, Sect. 7.3.12, where the first column lacks the nine 
letters L, M, O, P, R, T, V, Y, Z. 

7.5.5 Estimations. Simple arithmetic formulas for the number l(N) of 
reduced Latin squares of N rows and columns have not been given so far. 

Note that 1(9) « 3.78 • 10 17 , 1(10) « 7.58 • 10 24 , 1(11) « 5.36 • 10 33 
Erdos (1913-1996) and Kaplanski conjectured in 1946 that asymptotically 
l(N) x N-(N\) n ~ 2 / e JV '(Y-i)/2 

( 1(9) x 1.73 • 10 24 , 1(10) x 8.61 • 10 33 , 1(11) x 3.68 • 10 45 ). 

This estimate is not very useful, for i(ll) it is wrong by 12 powers of ten. 
For N < 10, empirically a pretty good upper bound is 

l(N) < y/((N- l)!)^- 1 
However, it is no longer an upper bound for Z(ll): 

1(9) « 3.78 • 10 17 < 2.64 • 10 18 , Z(10) « 7.58 • 10 24 < 1.04 • 10 25 , 
but Z(ll) « 5.36 • 10 33 > 6.29 • 10 32 . 

A very crude lower bound (Heise) is 

l(N) > 2! • 3! • 4! •... • (IV — 2)! : 

1(9) > 1.25 • 10 11 , Z(10) > 5.06 • 10 15 , Z(ll) > 1.83 • 10 21 . 

For Z(15), a value of 1.5 • 10 86 has been estimated (B.D. McKay) . For Z(26), 
a value in the neighborhood of lO 400 may be expected. 
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No message is safe in cipher unless the key phrase 
is comparable in length with the message itself. 

Parker Hitt 1914 


8.1 Early Methods with Periodic Keys 

8.1.1 Alberti. The earliest attempts at polyalphabetic encryption can be 
found in the manuscript Trattati in cifra of Leone Battista Alberti (1404- 
1472), an essay of 25 pages he wrote in 1466 or 1467 for his friend Leonardo 
Dato, the papal secretary. The Latin original De cifris (manuscript in the Va¬ 
tican Archives—many times copied) is reproduced in Aloys Meister, Die Ge- 
heimschrift im Dienste der Papstlichen Kurie, Paderborn, Schoningh, 1906. 
Alberti was not only an architect, painter, music composer, and organ player, 
but also a great Renaissance scholar. He knew how to break a simple sub¬ 
stitution cipher, and so he had thoughts on how to avoid this. He proposed 
changing the substitution alphabet after every three or four words, “intro¬ 
ducing a new meaning of the cipher letters.” For this purpose he invented a 
device, the turnable cipher disk (Fig. 26), which made quite a number of de¬ 
rived substitution alphabets available. Three or four words is on average 18 
letters. Thus, Alberti unconsciously stayed below Shannon’s unicity distance 
(Sect. 12.6) for simple substitution. This was great progress compared to the 
then common use of homophones: While in a homophonic simple substitu¬ 
tion Z 25 —■>- Z \0 the bigrams 89, 43, 57, and 64 could mean the letter 
/a/ , now every bigram of figures could mean /a/ —depending on its position 
in the text. Of course, the encryptor and decryptor had identical disks. 
Alberti suggested two different systems of using his disk; Luigi Sacco men¬ 
tioned only the first, and David Kahn only the second. Sacco, an Italian 
cryptologist and Eyraud, a French one, give the following explanation: A 
particular letter, say /b/, is agreed upon as an indicator (French index). The 
encryptor inserts in front of every part of the text that is to be encrypted with 
a new alphabet an arbitrary choice among the four figures 1 ... 4 . Whenever 
a figure has been enciphered, the new position of the turnable disk is de¬ 
termined by juxtaposing the index with the cipher equivalent of this figure. 
The decryptor knows that when a figure appears in the decrypted plaintext, 
his next step is to turn the disk and set the cryptotext letter against the 
index. By the way, this procedure is the first instance of covert key commu¬ 
nication, so important with modern encryption machines. 
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Kahn explained the use of the figures on Alberti’s disk as a superencryption 
of the quaternary code introduced by Alberti as well: a code of 336 groups 
of two, three and four of the figures 1 ... 4, to be interspersed within literal 
text. Alberti (see Sect. 4.4.2) mentioned also ordering the code for encryption 
in words and for decryption in code groups—an early two-part code. 

By introducing polyalphabetic encryption and superencrypted code, Alberti 
may be called the father of modern cryptology, without disrespect for the 
architect of the Palazzo Pitti, the churches Sant’ Andrea at Mantua, Santa 
Maria Novella at Florence, and the Tempio Malatestiana at Rimini. These 
works established his fame, but his cryptologic relevance was forgotten for a 
long time. 

8.1.2 Trithemius. While Alberti changed the alphabet after every three or 
four words, Trithemius proposed already in Vol. V of his Polygraphice (1508- 
1518) to proceed after every letter to the next alphabet. He did so, however, 
according to a regular, periodic progression—-just line by line of his tabula 
recta. Thus, his method was with respect to this far inferior to that of Alberti. 
On the other hand, he used all available alphabets before an alphabet was 
used a second time. Following Kahn, this is called a “progressive key” crypto¬ 
system—not to be confused with the expression “running key” (Sect. 2.3.3) 
introduced by Friedman. Modern cipher machines display a special liking for 
progressive encryption, but use many more than two dozen alphabets. More 
about this in Sect. 8.4.3 . 

Trithemius’ encryption was a fixed cryptosystem with a period of 24; it can 
be considered a monoalphabetic polygraphic encryption of width 24. One 
would not believe that such a method would be used professionally in the 
20th century. Actually, it was even used with period 3 (followed by a sim¬ 
ple columnar transposition) in 1914 by the Germans on the Western front. 
The French called it ABC—in today’s language it is a periodic VIGENERE 
encryption with special key A B C —and liked it, of course (Sect. 2.1.1). 

Della Porta then showed in 1602 how a Trithemius encryption can be attacked 
in special cases: If the plaintext contains three alphabetically consecutive 
letters like pon in pondus, they give a triple letter in the cryptotext. 

Neither Alberti nor Trithemius used key words in connection with polyal¬ 
phabetic encryption. Giovan Battista Bellaso was the first (1553) to denote 
the encryption steps consecutively with letters A, B , ..., Z and to use 
a keytext to select the alphabets—either by turning the cipher disk or by 
choosing a line in a table. His keytext consisted of rather long phrases like 
OPTARE MELIORA and VIRTUTI OMNIA PARENT , to be repeated if 
necessary. Such a repeated key leads to a periodic polyalphabetic (mono¬ 
graphic) encryption (Sect. 2.3.3). Still using the standard alphabet only, the 
combinatorial complexity Z of this method is N d for keys with d letters, 
for the polygraphic case of width n it is Z = ( N n ) d = N n ' d . 

Let M d denote a system of periodic encryptions with key sequences of period d. 
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8.2 ‘Double Key’ 

8.2.1 Bellaso and Della Porta again. Bellaso, in 1555, combined the 
use of a keyword with the use of a mixed alphabet derived from a pass¬ 
word and other ones derived from it by shifts. This decisive step was further 
propagated in 1563 by 28-year-olcl Giambattista Della Porta (1535-1615) in 
his De furtivis literarum notis , a book Kahn calls “extraordinary, with fresh¬ 
ness, charm, and ability to instruct.” 

Since the password determining the mixed alphabet was already called the 
key, it became customary to speak of a ‘double cipher’ (in the French ter¬ 
minology, this is alive even today, substitution a double clef), but this is now 
obsolete. Kahn writes: “Givierge was even then [1920s] calling polyalphabetic 
systems by the almost obfuscatory ‘double substitution’ which tells absolutely 
nothing at all about the system.” Givierge speaks of clef principale for the 
‘actual key’. The password is sometimes called ‘second key’. 

The combinatorial complexity of this method for keys with d letters and an 
arbitrary mixed alphabet is for simple (monographic) encryption N ! • N d ~ 1 , 
for the polygraphic case of width n it is ( N n )! • (_/V ra ) d_1 . 

Instead of a disk, a table can be used, of course. It would read for the case 
of Alberti’s disk in Fig. 26 (with {p~ l P : i € IN} ): 

abcclefgi lmnopqrstvxz 12 34 
0 D LGAZENBO S FCHTYQ I XKVP&MR 

1 RDLGAZENBO SFCHTYQIXKVP&M 

2 MRDLGAZEN B OSFCHTYQ I XKVP & 

3 feMRDLGAZE N BOS FCHTYQ I XKV P 


The decryption steps are obviously obtained, if the mixed alphabet of the 
cryptotext characters in the line i = 0 is put atop a tabula recta of the 
plaintext characters, in our example (with {P~ 1 p l : i £ IN}): 

DLGAZEN B O S FCHTYQ I XKVP &M R 
0 abcdefg i 1 m n o p q r s t v x z 1 2 3 4 

1 bcclefgi lmnopqrstvxzl234a 

2 cclefgi lmnopqrstvxzl234ab 

3 defgilmn o pqrstvxzl234abc 


8.2.2 Vigenere. It is just this connection of a tabula recta with an ar¬ 
bitrary substitution (cf. Sect. 7.4) that was proposed in 1585 by Vigenere. 
Proposing the use of keys as well, he obtained the full power of ALBERTI 
encryption steps. He also recognized how important it was to choose quite 
long key words for making cryptanalysis difficult. 

Blaise de Vigenere was born April 5, 1523 in Saint-Pourgain, “halfway be¬ 
tween Paris and Marseilles”, writes Kahn with American liberality. He went 
to the Diet of Worms as a very young secretary, and subsequent travels 
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through Europe in diplomatic missions widened his experience; then for the 
rest of his life he served the Duke of Nevers. He read Trithemius, Bellaso, 
Cardano, and Della Porta. In 1570, at the age of 47, he concentrated fully 
on writing; until his death in 1596 he wrote on everything on earth, even a 
Traicte des Cometes. He wrote his Traicte des Chiffres at age 62 in 1585, 
“despite the distraction of a year-old baby daughter,” as Kahn writes. In 
1570 Vigenere had married Marie Vare, who was many years younger. The 
cryptologic book had more than 600 pages and contained a lot more than 
cryptography— Japanese ideograms, alchemy, magic, kabbalah, recipes for 
making gold; but also a reliable, precise reflection of the status of cryptol¬ 
ogy at that time. Discussing polyalphabetic encryption, he followed Alberti 
and Trithemius in the use of alphabets obtained by shifts, and marked the 
rows by key characters as Bellaso and Della Porta had done for their self¬ 
reciprocal alphabet. Altogether, he gave the picture of polyalphabetic simple 
substitution its modern form. 

8.2.3 A ‘treble key’ (French triple clef ) is obtained, if two primary alphabets 
are combined with a keyed iterated substitution; for example, if for given Pi, 
P 2 the case (a) in Sect. 7.2.1 is taken into account, i.e., the set of alphabets 
{P\p l P 2 : i £ IN} (Sect. 19.5.3). Vigenere had gone into this case by de¬ 
noting the VIGENERE encryption steps with a mixed alphabet of key letters. 

8.3 Vernam Encryption 

Modern communication channels work in a binary alphabet Z 2 = {0,L} or 
Z 2 = { 0 , 1 } . Encrypting the symbols of the International Teletype Alphabet 
CCITT No. 2 can be seen as a polygraphic (quinpartite) binary encoding with 
N = 2 and n = 5 ; for the encryption of bytes, i.e., of 8-bit characters, which 
often serve in today’s computers as basic units, we have the case N = 2 and 
n = 8 of binary octograms, for blocks of 8 bytes N = 2 and n = 64. 

Restricted to VIGENERE encryption steps, there are 32 for Z 2 and 256 for 
Z 2 ; their execution as addition modulo 32 or modulo 256 requires a cyclic 
adder with a width of 5 bits or 8 bits. A suitable binary circuitry (with 
n = 5) is shown in Fig. 70. Larger microprocessors today allow even 64-bit 
addition and can directly encrypt byte octograms. 

bi b 2 h bt b 5 


Fig. 70. 

Addition circuit built 
from half-adders HA 
(C: carry exit, 

S : sum exit) 
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8.3.1 Bitwise encryption. On the other hand, a VIGENERE encryption 

step can be executed bit by bit. This extreme case of a bitwise encryp¬ 
tion will become particularly important later. If a bitwise binary encryption 
Z 2 -^Z 2 is a mapping, it is a permutation of the two characters 0 and 1 ; 

the identity O : ? ^ ? and the reflection L : ? ^ \ 

3 1 i—' 1 1^0 

are the only encryption steps (VERNAM encryption steps). They coincide 
with the VIGENERE and BEAUFORT steps +0 and +1. The encryption 
is necessarily self-reciprocal, but not properly self-reciprocal. | M \ = 2 is the 
smallest integer that allows a polyalphabetic encryption. Thus, the key of a 
VERNAM encryption is generated by a finite { O, L}-word that is periodically 
repeated, or it is an infinite { O, L}-sequence like OLLOLOOLLO... . 

Since in Z 2 the identity O can be performed by the addition of 0 and the re¬ 
flection L by the addition of 1, the encryption Z 2 - 5 - Z 2 is a linear trans¬ 

formation. Addition in Z 2 , addition modulo 2 , frequently denoted by ® , 
coincides with the Boolean operation <+> (Exclusive Or), which is also called 
‘noncarrying binary addition’, since it is the sum output of a half-adder. 

8.3.2 Vernam. The idea of realizing these two encryption steps by electric 
contacts came in 1917 (before Lester S. Hill) to a young employee of AT &T 
in New York, Gilbert S. Vernam (1890-1960). 1 

Vernam constructed for a commercial teletypewriter a binary VIGENERE 
encryption supplement. The key was punched on normal 5-channel teletype 
tape that could be linked to form a rather long loop. By double encryp¬ 
tion with short loops of 999 and 1000 characters, Lyman F. Morehouse, in 
Vernam’s team, obtained a key that was 999000 characters long and, more 
important, was ‘senseless’. Vernam applied on September 13, 1918 for a US 
patent and obtained it in 1919 under the number 1 310 719. On the commer¬ 
cial level, it was not successful; codes were more in demand. But the idea 
was adopted in professional diplomatic and military cryptology; among others 
(see Sect. 8.8.3) in the US Army SIGTOT machine and also in the Siemens 
SFM T 43 (British code name THRASHER, Swedish code name QEKY). 

8.3.3 Mutilated carry. Transition from a VIGENERE encryption step in 
Z 2 „ (performed by addition of (ai ci 2 <23 ... a n ) in the binary system) to n 
polyalphabetic VERNAM encryption steps (that is, VIGENERE encryption 
steps in Z 2 with addition of a\ , of 02 , ... , of a n ) amounts to dismantling 
the carry part of the electronic binary addition circuitry (‘wrong addition’). 

The same goes for VIGENERE encryption steps in Z 10 „ , performed by ad¬ 
dition modulo 10" of numbers from {0, ... 10 ra — 1} . For a mechanical desk 
calculator, transition to n VIGENERE encryption steps in Z 10 amounts 
to dismantling the mechanical carry device (Sect. 5.7); such a mutilated desk 
calculator performs polyalphabetic encryption over its full working width. 


1 


Vernam was a restless inventor, he obtained 65 patents of all kinds. He died in 1960 of 
Parkinson’s disease. 
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8.4 Quasi-nonperiodic Keys 

8.4.1 Polyalphabetic encryption considered arduous. Despite the 
crypt analytic security it offered when used properly, periodic polyalphabetic 
encryption with long keys found it difficult to win against the nomenclators. 
It was first used in exceptional cases only: in the Papal Curia in 1590, where it 
was broken by Chorrin, a decryptor of Henri IV; and by the Cardinal de Retz 
in 1654 for communications with the Prince of Conde (Louis II of Bourbon) 
before the outbreak of the Huguenot War, when it was broken by Guy Joly 
who guessed the key word, which was the preferred method. In 1791 Marie 
Antoinette used polyalphabetic encryption in her exchange of amatory and 
conspiratorial letters (Sect. 2.1.1). Her lover from 1783, the Swedish Count 
Axel von Fersen, concocted a Porta-like assembly of 23 self-reciprocal alpha¬ 
bets (Fig. 71). Axel von Fersen was cautious and did not use obvious mne¬ 
monic words but mots vides like DEPUIS, VOTRE. It was not to be blamed 
on cryptanalysis that the escape of Louis XVI and Marie Antoinette ended 
at the bridge of Varennes, for none of their messages had been decrypted. 

A (ab) (cd) (ef) (gh) (i k) (lm) (no) (pq) (rs) (tu) (xy)(z&) 

B (bk) (du) (ei) (f 1) (gn) (ho) (my) (ps) (qx) (rt) (ac) (&z) 

C (1 r) (ad) (bg) (cz) (s&) (ek) (fm) (ht) (ix) (np) (oq) (uy) 

Fig. 71. Marie Antoinette’s polyalphabetic self-reciprocal encryption 

Before it was mechanized, polyalphabetic substitution had a reputation for 
being cumbersome and prone to error. William Blair wrote in an 1819 en¬ 
cyclopaedia article: “polyalphabetic substitution requires too much time and 
by the least mistake in writing is so confounded ... .” 

The same complaint is found in a 17th-century Brussels book, Traitte de 
I’art de dechiffrer: “... takes too long to encipher them, dropping of a single 
ciphertext letter garbles the message from that point on ... .” 

8.4.2 Polyalphabetic encryption considered safe. However, polyal¬ 
phabetic substitution was also reputed to be unbreakable. Matteo Argenti 
wrote, “The key cipher is the noblest and the greatest in the world, the most 
secure and faithful that never was there a man who could find it out.” 

Until the 19th century, the only genuine break occurred when trivial alpha¬ 
bets with shifts were used, words of the plaintext could be guessed, and a 
short key could be reconstructed—not to speak of guessing the key word, as 
Della Porta and the Argentis succeeded in doing. This changed only with the 
rise of systematic solution in the middle of the 19th century. 

To exclude these possibilities of attack, it is advisable (Parker Hitt) to take 
the period length of the keytext to be considerably larger than the whole 
plaintext (quasi-nonperiodic key), or to use a nonperiodic key (Sect. 8.7). 

8.4.3 Progressive encryption. But if quasi-nonperiodic encryption is 
envisaged, it is advisable for the sake of security to use many more alphabets 
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than one usually has key characters. These alphabets should also be se¬ 
lected less regularly than mnemonic keywords provide for (Kahn: “irregular 
sequence of alphabets”). Moreover, if a great number of alphabets are avail¬ 
able, it may be worth using progressive encryption in the following sense: 

Progressive encryption is a periodic polyalphabetic encryption that uses no 
alphabet again before all other alphabets have been used. Thus, the period d 
of a progressive encryption coincides with the cardinal number 9 of the set of 
encryption steps. A quasi-nonperiodic encryption results when the message 
is shorter than 9 . 

Progressive encryption was already proposed by Trithemius with his tabula 
recta (Sects. 7.4, 8.1.2), although with 24 shifted standard alphabets it did not 
provide much security. Progressive encryption is systemic with the cylinder 
and strip devices, where each alphabet is only available in one copy. Progres¬ 
sive encryption was also favored in the mechanical or electromechanical en¬ 
cryption machines of the first half of the 20th century. In the following, 
cascading stepwise movement of a set of rotors is typically progressive. 

8.4.4 ‘Regular’ rotor movement. Although nothing prevented rotors 
from having many contacts (the half-rotor of the Japanese Angooki Taipu A, 
Fig. 79, had 60), it seemed natural in the case of Z]\j to have N contacts and 
thus only N alphabets. To achieve a high period for a progressive encryp¬ 
tion, the weak solution Hebern and Scherbius found independently was to 
step several rotors successively as in a counter (‘regular’, cyclometric rotor 
movement). With four rotors and A = 26, the period d is equal to or at least 
(in ‘almost progressive encryption’) not much smaller than 0 = 26 4 = 456 976. 
This is an impressive number, which means the period does not need to be 
exhausted for a message the length of a typical novel. With five rotors, 9 is 
12 million, which is many more letters than there are in the entire Bible. 

8.5 Machines that Generate Their Own Key Sequences 

Crypto machines of some comfort frequently have a double function: They 
perform polyalphabetic encryptions, and they generate their own key se¬ 
quence for the selection of these encryptions. If keytext generation is in¬ 
cluded, it is the crucial issue of mechanization. 

8.5.1 Wheatstone. Trithemius used the shifted (standard) alphabets 
straightforwardly one by one, and this was still done (with shifted mixed 
alphabets) in the Cryptograph of Wheatstone, 1867 (Plate C). This meant 
the use of a fixed key. The use of keys by Bellaso allowed the experienced 
encryptor enough irregularity in the selection of the alphabets. 

8.5.2 Attempts at irregularity. Keytext generators with such a long 
period that normally for one message the full period by far is not exhausted, 
offer an ‘irregularity in the selection of the alphabets’, caused by the enci¬ 
pherer in choosing the starting point of the keytext cycle. Arthur Scherbius 
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therefore provided in his basic patent application filed February 23, 1918 
(German Patent 416 219) in the first instance the regular, cyclometric rotor 
movement (“like that of counters”) only as one possibility. 

Arvid Gerhard Damm, one of the inventors of the rotor principle, made in his 
Swedish patent application of October 10, 1919 a first attempt at irregularity: 
four gears (‘key wheels’), one for each rotor, move each half-rotor after each 
encryption step a varying number of positions. This ‘irregularity’ was not 
very deep, and more likely to impress a naive person was the period d = 
17 • 19 • 21 • 23 of the half-rotor movement; at more than 150 000 it was about 
one third of 6 = 26 4 = 456 976 . It was almost progressive encryption. 

In a later application filed on September 26, 1920 (German Patent 425 147), 
there are mentioned geared drive wheels (‘key wheels’) with irregularly dis¬ 
persed cams. For the ENIGMA A of 1923 and the ENIGMA B of 1924, both 
with four rotors, the rotor movement (patented for Paul Bernstein, filed on 
March 26, 1924, German Patent 429 122) was somewhat irregular insofar as 
the four geared drive wheels had gaps: one wheel with 11 positions had 5 
teeth and 6 gaps, one wheel with 15 positions had 9 teeth and 6 gaps, one 
wheel with 17 positions had 11 teeth and 6 gaps, one wheel with 19 positions 
had 11 teeth and 8 gaps. Thus, a period of d= 11 -15-17-19 , that is, more 
than 50 000, was obtained for the rotor movement, which was only about one 
ninth of 9 , but certainly again providing almost progressive encryption. 

The geared drive wheels, however with notches, turned up again in Korn’s 
ENIGMA G of 1928 (‘ Enigma Schliisselmaschine mit 4 Walzen und ZahlwerE). 
Irregular movement through ‘gap-tooth’ cog wheels with varying numbers of 
teeth and gaps was also used by the cipher machine (Plate F) of Alexander 
vonKryha (patent filed January 16, 1925, German Patent 434 642), but with 
a period of between 260 and 520 the machine was cryptologically very weak. 

When Boris Hagelin, who took over Damm’s company Aktiebolaget Cryp¬ 
tograph, in 1935 replaced the half-rotors by a ‘bar drum’, also called ‘lug 
cage’ (German Stangenkorb), for performing BEAUFORT encryption steps, 
he nevertheless continued to use irregular movement produced by ‘step 
figures’ of the key wheels. For the machines C-35 (Fig. 72, Plate G), the 
number of key wheels was five. In a later model C-36, improved on the advice 
of Yves Gylden, six key wheels could be used, for a period of 17-19-21-23-25-26, 
more than 100 million. 2 Hagelin got from France an order for 5000 machines, 
to be fabricated under license by Ericsson-Colombes. In the Second World 
War, 140 000 improved machines were built in the USA under license by the 
typewriter company L. C. Smith & Corona, named M-209 (Plate H) by the US 
Army, CSP 1500 by the US Navy. A version C-38m was used improperly by the 
Italian Navy in the Mediterranean Sea. Later Hagelins (‘hags’) had a period 
of 29-31-37-41-43-47 , i.e., over 2 billion. BC-543 (Fig. 73), a printing version 
operated electrically from a keyboard, was used in the USA for medium-level 

2 For more details see A. Salomaa, 1990, pp. 44 ff., H. Beker and F. Piper, 1982, pp. 63 ff. 
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communications. Fritz Menzer from OKW/Chi developed (Fig. 73) an essen¬ 
tially improved version C-41 with more irregular movement of its key wheels, 
built as SG41 (Schliisselgerat 41) late in the war by the German typewriter 
company Wanderer Werke. After the war, Hagelin further improved his ma¬ 
chines. In 1952, the Hagelin-Crypto CX-52 entered the market, using six out 
of twelve available key wheels (H 54 built in licence by the Dr. Hell Co., Kiel). 




Fig. 72. C-35 constructed by B. C. W. Hagelin (A. B. Cryptoteknik, Stockholm) 




Fig. 73. Left: BC-543 (Hagelin Cryptograph Company, USA) 

Right: German copy Schliisselgerat 41 (SG41, Hagelin: C-41) by Wanderer Werke 


8.5.3 Wheel movement by pawls and notches. Later, when Scherbius 
introduced the reflector and three movable rotors, he abandoned the gears 
and replaced them by pawls and notches on the rotors. In the ENIGMA C, 
ENIGMA D, and Wehrmacht models the ‘regular’ movement of the rotors 
was accomplished by using one notch at the alphabet ring of each rotor. The 
‘fast’ (rightmost) rotor 7 ?jv moved at each encryption step. It 
caused for each full turn one step of the ‘medium’ (middle) ro¬ 
tor Rm , which again for each full turn caused one step of the 
‘slow’ (leftmost) rotor Rl . The period was a bit less than the 
maximal 6 = 26 3 , namely, 26-25-26 = 16 900, due to an anomaly 
in the construction of the cam mechanism: Whenever the slow = = = 

rotor Rl stepped, the medium rotor Rm made an extra step. R^RmRn 


A 
A 
A 
' B 
B 
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Except for this anomaly, there was regular, cyclometric rotor movement. The 
‘Greek’ rotors /? and 7 that were introduced later could be set, but could not 
step during operating the ENIGMA M4. 

Notches were located for the Wehrmacht ENIGMA rotors I - VUI as follows 

Rotor i n in iv v vi, vn, vm 

Notch(es) at letter Y M D R H H, U 

at different positions of the alphabet ring 3 , to be at least a little bit irregular. 
But this was only a complication illusoire. Even worse, it was “a complication 
that defeats itself,” as Kahn said ironically: If all rotors had the notches cut 
at the same letter, the cryptanalysts would not have been able to find out 
which rotor was used as the fast rotor by finding out (for known rotors) what 
letter caused the turnover. The Kriegsmarine seemingly found out about this 
and cut the notches on the new rotors VI and VH (1938) and VUI (1939) at the 
same positions. Moreover, these rotors had two notches (Plate K): one at the 
letter H, one at U. (Unlike in the commercial ENIGMA D, the notches were 
on the alphabet ring. Thus, the movement depended on the ring setting.) 
Although by using two notches the period was halved and the danger of a 
superimposition (Sect. 19.1) increased (as a countermeasure, the permissible 
length of any one message had been so drastically limited), this change made 
cryptanalysis much more difficult: “We would have had great trouble if each 
wheel had had two or three turnover positions instead of one” (Welchman). 
The rotors of the ENIGMA T (‘Tirpitz’), see Sect. 7.3.8, had five notches: 
Rotor i, eh n, rv v,vn vi, vm 

Notches at letter EHMSY EHNTZ GKNSZ FMQUY 



Fig. 74. Rotors of the Abwehr ENIGMA No. G-312, seen from two sides: 
left with 2 X 26 teeth, right with pairs of teeth used as notches 

The ENIGMA mainly employed for Canaris’ counter-espionage and espionage 
service Abwehr —a rewired version of the ENIGMA G—had no plugboard, 
but like the D model a rotating reflector. By using (see Sect. 7.3.9) pinions 
and cogwheels instead of ratchet wheels and pawls it had truly cyclometric 
rotor movement and allowed, in connection with a revolution counter (‘coun¬ 
ter’ ENIGMA), backward and forward moving by means of a crank. It had 
new rotors; but, as in the Wehrmacht ENIGMA, turnover positions were fixed 

3 For rotors I to V, the turnover happens when (with a difference of 19 letters) the tran¬ 
sitions Q—>R, E—>F, V—>W, J—-K, Z—>A occur in the window. At Bletchley Park there 
was a corresponding, rather silly mnemonic line Royal Flags Wave Kings Above. 
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to the alphabet ring (‘index ring’). The three rotors (Fig. 74) had 17 (not 19, 
as Twinn said), 15 and 11 turnover positions. This gave Dillwyn Knox quite a 
headache; but he succeeded in autumn 1941 in solving it. Knox developed on 
the Abwehr ENIGMA a special terminology: some particular simultaneous 
movements of Rn,Rm,Rl and the reflector he called ‘crab’ and ‘lobster’. 

8.5.4 Typex. Plate L and Fig. 75 show the British TYPEX (Type-X), devel¬ 
oped by Wing Commander Lywood and three more members of the RAF and 
ready in April 1935, improved by May 1938 (but not commercially available). 
It was in some respects similar to the 3-rotor ENIGMA; however, among its 
five rotors the two next to the entry were settable, but wisely did not move 
during operation. In this respect, TYPEX was cryptanalytically equivalent to 
a 3-rotor ENIGMA with a non-involutory plugboard. The lightbulb output of 
the ENIGMA was replaced by a Creed tape printer. Essential differences ex¬ 
isted in the rotor movement: It was regular, too, but basically multinotched. 
The notched rim was rigidly fixed to the rotor rim as in the commercial 
ENIGMA and the rotor core was a ‘wiring slug’ sitting in a receptacle car¬ 
rying the rotor rim and the alphabet. In some later models, the wiring slugs 
could be inserted in two orientations, P or P _1 . In a typical version, five 
slugs could be selected out of ten. There were rims with five, seven and nine 
notches; in the last case the notches were arranged so that a turnover oc¬ 
curred when in the window one of the letters BGJMORTVX was 
shown. All rotors when used together had identical notchings. TYPEXs, still 
being used by the British until at least 1956, were supplied to NATO and 
some Commonwealth countries. (ENIGMAs from the WWII surplus went 
after 1945 to many small countries. Some were in use until 1975.) 


Fig. 75. 

Left: 

TYPEX Mark E 
Right: 

Rotor machine 
of the Ottica 
Meccanica Italiana 




The rotors of the Italian OMI Cryptograph-CR (Sect. 7.3.4) could be assem¬ 
bled from a receptacle, that contained the notches, and a pair of rotor cores; 
in this way, one could speak of 14 rotors, whose movement was coupled in 
pairs, or of 7 rotors with a choice from ( 2 4 ) = 91 rotors (Fig. 75). 

From the late 1940s until the early 1980s, the North Atlantic Treaty Orga¬ 
nisation (NATO) used KL-7 rotor machines developed in the USA for multi¬ 
national communications. (The US American SIGABA was considered too 
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good to be shared.) The KL-7 (Fig. 76) had seven cipher rotors; it was in its 
mechanical aspects faintly similar to the British TYPEX, using interchange¬ 
able coding cylinders and rings. Plastic slip rings which controlled the irreg¬ 
ular rotor movement could be permuted among the coding cylinders. Each 
rotor had 36 contacts, providing for letters and digits. The KL-7 was one of 
the last rotor machines ever produced. The security of these machines had 
to be very good, since they were available even to some non-NATO countries 
and were sure to fall into the other side’s hands. This shows that cryptolo- 
gists in the 1960s had fully accepted Shannon’s maxim (Sect. 11.2.3) that a 
cryptosystem must be safe even if the device is in the hands of the enemy. 
Indeed, in 1962 the US Officer Joseph G. Helmich sold to the Sovjets tech¬ 
nical information about rotors and key lists; he was arrested in 1982 by the 
FBI. Use of the KL-7 ended at the latest in 1985 after the Walker espionage 
case—at that time it was outdated anyway. The Russian counterpart M-125, 
a 10-rotor machine, was named (|)HajiKa (‘violet’). Five rotors moved in the 
one, five in the other direction. The plugboard substitution could be varied. 




Fig. 76. Rotor machine KL-7 (cover name ADONIS) 

8.5.5 Hebern. Early in his career, the great William Friedman studied the 
rotor machines of Hebern, who was in contact with the US Navy, and in 1925 
also gave an evaluation. His test of the Hebern machine was a chef-d’oeuvre. 
He was given ten messages of about 300 characters, all encrypted with the 
same rotor arrangement, and the initial setting of the rotors. In two weeks 
of labor, he found the solution, including the reconstruction of the wiring of 
at least some rotors. The resulting report was finally declassified in 1996; 
obviously his index of coincidence (Sect. 16.1) is involved. 

The Navy under Laurance F. Safforcl and the Army under Friedman, with 
Sinkov, Rowlett, and Kullback, spent long years hunting for improvements to 
the Hebern machine. In 1932, Hebern finally designed a satisfactory machine, 
the HCM with five rotors. It had reasonably irregular rotor movement, but 
still Friedman’s group was not satisfied. 
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In the late 1930s or early 1940s, Friedman himself designed for the US Army 
Signal Corps a machine with 3 rotors and a reflector (but no plugboard), 
based largely on the ENIGMA. This led to the Converter M-325 (Patent 
filed August 11, 1944) which was built after 1944 and dubbed SIGFOY but, 
because of some practical drawbacks, was not generally introduced. 

After 1933, again under pressure from the Navy, the ‘Electric Cipher Ma¬ 
chine’ ECM Mark I was designed, a 1-rotor machine with rotor movement 
controlled by a tape, which finally fulfilled even the highest requirements. 
But Frank Rowlett succeeded in inventing further improvements, leading in 
1936 to the ECM Mark II, often simply called ECM, with the US Army also 
M-134-C and SIGABA, with the Navy CSP 889 (Fig. 77). The SIGABA had 
15 rotors; apart from 5 cipher rotors and 5 rotors for irregular movement 
sitting in a basket, another five were equivalent to a plugboard. With these 
additional rotors and without using a reflector, it proved in the 1940s to be 
the securest machine in the (Western) world. It was also the most expensive. 
The system was in use until 1959. 

CCM (‘Combined Cipher Machine), also named CSP-1700, used two adaptors 
for a connection between SIGABA and TYPEX. It turned out to be insecure. 




Fig. 77. Rotor machines ECM Mark II (M-134-C SIGABA, CSP 889) 


8.5.6 Yardley. Japan, on the way to becoming an East Asian great power, 
could not get away without diplomacy after the First World War and thus 
needed cryptology. The diplomats used code books, like everyone else. The 
government had advisors; the Polish captain Jan Kowalewski taught it the 
simplest security measures such as Russian copulation (Sect. 3.4.2). Between 
1919 and the spring of 1920, the Japanese introduced eleven codebooks, 
among them voluminous ones with 25 000 code groups. The Japanese radio 
signals naturally attracted the interest of the Black Chamber the US State 
and War Departments were jointly running. Supported by the section MI-8 
of the US War Department, the Black Chamber was organized after 1918 by 
Herbert Osborne Yardley (1889-1958). Officially, it was ancillary to the Mili¬ 
tary Intelligence Division. It was housed in New York City under strict shield¬ 
ing after the office was broken into, since 1925 it used the cover of a code com- 
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piling company, which indeed compiled and sold the Universal Trade Code. 
Yardley and his people were rather industrious and diligent; in the summer 
of 1921 they decrypted a telegram from the Japanese ambassador in London 
to his Foreign Ministry, containing delicate information about the Interna¬ 
tional Maritime Disarmament Conference that was just in preparation and 
revealing expansionist Japanese dreams in the Far East. By 1929, the Black 
Chamber had decrypted 45 000 telegrams from all parts of the globe. 

On March 4, 1929, Herbert C. Hoover acceded to office as the 31st president 
of the United States of America, and suddenly all that changed. Hoover’s 
naivete had the effect that he and Secretary of State Henry L. Stimson no 
longer wanted the disreputable services of the decryptors; the Black Chamber 
was without hesitation dissolved, effective October 31, 1929. The working 
material went to the Signal Corps of the Army, directed by Friedman. Yardley 
had to find another position; at the height of the Depression this was ex¬ 
tremely difficult. He was forced to earn money and decided in his bitterness 
and distress to write a book, a startling expose with the title The American 
Black Chamber (Indianapolis, 1931). Yardley was a superb storyteller and 
the book was an immediate success. But he provoked the anger and scorn 
of his government. In defense, he accused the State Department of grossly 
neglecting the interests of the USA in using “sixteenth-century codes,” and 
stated that it had no right to bring moral pressure to bear on him. More 
serious were the objections from his professional colleagues; they knew better 
than Stimson that in view of the possibility of war the national interest not 
only disallowed a violation of state secrets, but also called for continuity of 
cryptological competence. 

The Yardley case had a legislative sequel. The 73rcl Congress of the USA 
debated in 1933 a controversial bill introduced by the Roosevelt administra¬ 
tion, making it punishable to publish or furnish without authorization matter 
which was obtained while in the process of transmission between any foreign 
government and its diplomatic mission in the United States. The freedom of 
the press was infringed and Public Law 37, the Lex Yardley, went into Sec¬ 
tion 952 of Title 18 of the United States Code, but no criminal prosecution 
ensued against Yardley. 

Yardley had enumerated nineteen countries whose diplomatic codes had been 
compromised, among them eleven South-American countries, Liberia and 
China—not surprising anyone—but also Britain, France, Germany, Spain 
and the Soviet Union, where at least officially nobody could express moral 
disgust (it was said that in the 1920s every larger European country was in 
the possession of one or more American code books)—and Japan. 

The book became a tremendous success, not least due to the public stir the 
affair created. It sold 17 931 copies in the USA and a further 5 480 in Britain, 
which were unheard-of numbers for a cryptology book. Translations followed 
into French, Swedish, Chinese—and Japanese. A sensational 33 931 copies 
were sold in Japan, showing that Yardley had touched a nerve in the Japanese 
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soul. 

There, a member of the House of Peers used quite impolite and harsh words; 
throwing blame on his own Foreign Ministry, he spoke of a “breach of faith 
committed by the United States Government”; the foreign minister and for¬ 
mer Japanese ambassador to the United States spoke of “dishonor”. Yardley 
was slandered. And still he had rendered Japan the greatest service he could 
by stimulating a radical improvement of her cryptanalytic security. As a 
result, the Japanese multiplied their efforts on mechanizing encryption. 

In 1938, Yardley was hired by Chiang Kai-shek and subsequently broke 
Japanese columnar transpositions. In 1940 he returned; he went in June 1941 
to Canada to work on spy ciphers, but was replaced after six months, under 
Anglo-American pressure, by the approved and reliable Oliver Strachey. 



Fig. 78. Japanese ENIGMA imitation, GREEN machine 


8.5.7 Green, red and purple. 

Following a familiar pattern, the Japanese studied the machines of other 
countries, in particular those that were accessible through the patent litera¬ 
ture: the ENIGMA, the machines of Damm and Hagelin, and those of Hebern. 
For machines with the Latin alphabet, the common Hepburn transliteration 
of kana into the Latin alphabet was used. The Japanese imitation of the 
ENIGMA D, denoted GREEN by American cryptanalysts, was a strange 
construction with four vertically mounted rotors (Fig. 78) and did not achieve 
great importance. Next, the half-rotors of Damm showed up in the Angooki 
Taipu A (Cipher Machine A), called RED in American jargon. Apart from 
a fixed permutation by a plugboard, it had a half-rotor with 26 slip-rings 
(Fig. 79). The wiring permuted the six vowels onto them and therefore also 
the 20 consonants and thus needed (two times) 60 exit contacts, since 60 is 
the least common multiple of 6 and 20. The reason for this cryptologically 
rather disadvantageous separation may have been in the tariff regulations of 
the international telegraph union, requiring ‘pronounceable’ words. 
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The Japanese RED machine was a very poor cryptosystem, not much better 
than Kryha’s machine. Its predecessor M-2, used since mid-1933, had already 
two half-rotors, one with six, one with 20 slip-rings, and followed Damn’s 
patent 1,502,376 of July 22, 1924. Laurance Safford claimed that it was com¬ 
pletely reconstructed in 1936 by Agnes Driscoll. In the RED machine, rotor 
movement was accomplished by a gear with 47 positions, with 4, 5 or 6 gaps. 
Cryptologically it performed two separate ALBERTI encryptions of the vowel 
and the consonant group. It is not at all surprising that the RED machine 
(Fig. 80) was attacked in 1935 by Kullback and Rowlett of the US Army and 
solved in 1936. In the spring of 1936, Werner Kunze at Pers Z of the German 
Auswartiges Amt directed his interest to M-l, working with the kana alphabet 
(called ORANGE in American jargon). Jack S. Holtwick from the US Navy 
had a similar goal. They both succeeded, Kunze with RED by August 1938. 
In 1934 RED was also broken at GC&CS by Hugh Foss and Oliver Strachey. 




Fig. 79. Half-rotor with 26 slip-rings in the Japanese machine Angooki Taipu A 


Fig. 80. American reconstruction RED 
of the Angooki Taipu A with 
two half-rotors, machine based 
on patents by Arvid Damm 

In 1937, Japan started the development of a much more secure encryption ma¬ 
chine. It replaced the RED machine in the diplomatic service and was put in 
operation in February 1939—the first unreadable messages picked up went 
in March 1939 from Warsaw to Tokyo. The Angooki Taipu B (Cipher Ma¬ 
chine B, also 97 -shiki obun injiki, alphabetic typewriter ’97), called PURPLE 
in American jargon, included a new feature, used for the first time by the 
Japanese, namely, stepping switches (uniselectors), known from telephone ex¬ 
changes. The separation into two groups of six and 20 characters was kept, al¬ 
though later the six characters no longer had to be vowels. It turned out that 
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the number of available alphabets was cut to 25, and the mapping was quite 
irregular and determined by the internal wiring. To find this needed the con¬ 
centrated, months-long work of a whole group of people, not only Frank Row¬ 
lett, but also Robert O.Ferner, Albert W. Small, Samuel Snyder, Genevieve 
Feinstein (nee Grotjan), and Mary Jo Dunning. They first found the mapping 
of the 6-vowel group, and they had indications that the number of alphabets 
was 25. But as for the 20-consonants group, they were in the dark, and no one 
could identify a known electromechanical encryption step that would produce 
the observed effects. When the situation seemed almost hopeless, in midsum¬ 
mer 1940, a newly arrived recruit from MIT, Leo Rosen, was initiated—and 
he hit upon the idea that the Japanese may have used stepping switches 
(Fig. 81). That gave the work a fresh impulse, and the mystery was soon sol¬ 
ved: there were three banks of stepping switches, and the wiring connections 
could be established. On September 20, 1940, an important discovery was 
made by Genevieve Grotjan, and only a week later, after 18 months of work, 
the first complete PURPLE solution was achieved. A working reconstruc¬ 
tion of the machine was built; on February 7, 1941, the British in Bletchley 
Park were given a copy. The RED machine had paved the way, and many 
weaknesses in the encryption discipline of the Japanese gave clues, hints and 
cribs, but it was a victory of the US Army cryptanalytic bureau “that has 
not been duplicated elsewhere ... the British cryptanalytic service and the 
German cryptanalytic service were baffled in their attempts” (Friedman). 



Fig. 81. Stepping switch bank of the Japanese PURPLE machine 

Strategically, the PURPLE break was of highest importance, the Americans 
spoke of MAGIC. But the British had their victory, too—over the German 
ENIGMA; they called it ULTRA. However, David Kahn reported that the 
Russians, and Jurgen Rohwer and Otto Leiberich reported that the Germans 
also solved PURPLE, which had a theoretical security ‘significantly greater’ 
(Stephen J. Kelley) than the 3-rotor ENIGMA and comparable to the 4-rotor 
ENIGMA. Once the internal wiring of the PURPLE machine was understood, 
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it proved to possess only mediocre security, comparable to RED. It seems that 
the Japanese underrated the cleverness of the Americans; also they believed 
that their language would protect them and would not be understood fully 
elsewhere. The follow-up machines they built used stepping switches too and 
were only slightly more complicated: one, called CORAL in the American 
jargon, gave up the separation into 20+6; it was finally broken by OP-20-GY 
with the help of Hugh Alexander from GC&CS in March 1944. Another one, 
called JADE, was unique because it printed in kana symbols. Otherwise it 
had only minor added complications and was broken in due course. 

The Japanese also had a very transparent system in their daily plugboard ar¬ 
rangements, and the bad habit of sending changes to the keying as encrypted 
messages—thus keeping the foe, once he had broken in, always up to date. 
Even the ‘key to the keys’ was discovered by Frank Raven in 1941. 


8.6 Off-Line Forming of Key Sequences 


8.6.1 Matrix powers. For VIGENERE and BEAUFORT encryption, 
‘irregular’ key sequences of cycle numbers from Zjy are required. A much 
favored method uses successive powers modulo N of a regular k x k matrix 
T, sufficiently different from the identity. Since the number of such matrices 
(Sect. 5.2.3) is less than N k , some power T r must give identity for the first 
time. The number r = r(T, N) is called order of the matrix T in A N . 


For example, the matrix T 
(see also Sect. 9.4.2): 



with k = 2 has the following order 


N= 2 3 4 5 6 7 8 9 10 11 12 13 16 20 23 24 25 26 32 48 64 80160 
r= 3 8 6 20 24 16 12 24 60 10 24 28 24 60 48 24100 84 48 24 96 120 240 


Picking up a suitable z-j-element of the matrix powers produces a sequence 
of cycle numbers with the period r(A, N) such that no smaller period exists. 
A particularly convenient form of a matrix T is a k x k ‘companion matrix’ 
of the form 


(*) 


T = T(ot\,a2, otk) = 


/° 

0 

0 .. 

.. 0 

Oik 

1 

0 

0 .. 

.. 0 

Oik-1 

0 

1 

0 .. 

.. 0 

Oik-2 

0 

0 

0 .. 

.. 0 

Oi2 

Vo 

0 

0 .. 

.. 1 

Oi\ 


The 1-fc-element of the powers of this matrix is then the last element of the 
iterated vector ti=toT l = ti-\T , if the initial vector is fo = (l 0 0 ... 0 0). 
To produce these iterated vectors, a shift register with k positions is used. 
Shift registers in connection with a companion matrix are also called linear 
shift registers. Using a basis analysis, they allow an easy break (Sect. 20.3). 
Non-linear shift registers are preferable: they form the next element of the 
sequence by some arbitrary function of the last k elements. 
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Simple steps for achieving non-linearity, like reversing the order of the vector 
components after each step, may be dangerous: non-linearity may lead to 
very short periods (Selmer 1993, Brynielsson 1993). 

8.6.2 Bit sequences. For the binary case TV = 2 of a VERNAM encryp¬ 
tion, the key sequences are (0, l)-sequences, where 0 stands for the identity 
O and 1 for the reflection L. For example, the matrix (k = 3) 

/0 0 1 
T= 10 1 

\0 1 0 

modulo 2 yields the sequence (1001011 1001011 1001011 ...) 
with the period 7 = 2 3 — 1. Since there are 2 k different fc-bit vectors, and 
the zero vector is invariant, it is obvious, that the maximal reachable period 
is 2 fc —1. One can show (Oystein 1948): 

If the polynomial x k — ot\X k ~ l — a 2 x k ~ 2 — ... — a*, over the field Z 2 = F(2) 
is irreducible, then every vector sequence iterated with T = T(a\,a 2 , ... ctk )) 
has a period, which is a divisor of 2 fe —1. 

For k = 31, the polynomial a; 31 + x 13 + 1 is irreducible over Z 2 = F(2); 
2 31 —1 is prime and amounts to more than 2 billion. 

If 2 fc —1 is prime (2 fc —1 is then called a Mersenne prime 4 5 ), then there are 
only the periods 2 fc —1 and 1; the sequence (0000 ...) has the period 1. 

For N = 2, i.e., in Z 2 , there are only the VIGENERE and BEAUFORT 
steps +0 and +1, that is, the VERNAM steps O = +0 and L = +1. 
Polyalphabetic binary encryption needs a particularly long period and a good 
mechanism for the generation of an irregular (0,1) sequence. 

8.6.3 In principle, from every polyalphabetic set of block encryption steps 
Xi with uniform encryption width m, which can be rather large, a finite 
sequence (Sect. 2.3) X = (Xin Xi 2 > ••• > Xi s ) can be formed and X can be 
iterated on an initial key u = (u±,u 2 ,..., u s ); the progressive sequence 

u , X(u) , X 2 (u) , X 3 (u) , ... 

is in fact periodic, but mostly with a very large period 0 such that it may be 
usable as a quasi-nonperiodic key sequence. As an example, in Sect. 9.5.2, X 
will be defined with the help of the h -th power of u modulo a prime p , 


4 Marin Mersenne, 1644. Cataldi, in 1588, had treated 2 17 — 1 , 2 19 — 1 . Primality of 2 31 —1 
was proven in 1772 by Euler, of 2 61 —1 in 1883 by Pervushin; 2 12 '—1 had already been 
proven in 1876 by Lucas. Powers, in 1911 and 1914, found 2 89 —1 and 2 107 —1 to be prime. 
The next primes 2 s 21 —1, 2 607 —1, 2 1279 —1, 2 2203 — 1, 2 2281 —1 were discovered in 1952 by 
Ralph M. Robinson using the SWAC. Fourteen more followed, then 2 756839 —1 (1992), 
2 859433_ 1 ( 1994 ) ; 2 1 257 787_i ( 1995 ), 2 13932 6 9 -1 (1996), 2 2976221 -1 (1997), 2 3024377 -l 
(1998), 2 6972593 -l (1999), 2 13466917 -1 (2001), 2 29 " 6 911 -l (2003), 2 24036583 -l (2004), 
2 39 402 457 — i (2006) — recently the exponent was roughly doubled every two years. 

5 Following Robert Floyd, the period of X can be determined with minimal storage re¬ 
quirement in the following way: Let ao = u , bg = u and a;_|_i = X (a,), \ = X 1 (h t ). 

As soon as a n = b n , there is X"(u) = X 2n (u) and n is a period. 
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X(u) = u h mod p , X s (u) = mod p . 


8.7 Nonperiodic Keys 


A nonperiodic encryption (Sect. 2.3.3) requires 8 > 2 and a nonperiodic 
sequence (x Sl , \s 2 ■> Xs 3 • • • ) °f polyalphabetic encryption steps. It is char¬ 
acterized by the index sequence (si, S 2 , S 3 , ...) with 0 < s M < 8 , or by the 
proper fraction O.S 1 S 2 S 3 ... in a number system with the base 8 > 2. Thus, 
there exists for every computable irrational real number and for every 8 > 2 
a nonperiodic infinite encryption with a key sequence (Aq, Aq, A 3 where 
k, = Xsi ( see Sect. 2.6). Let M°° denote a cryptosystem with this property. 


8.7.1 Delusions. For 8 = 2, a nonperiodic VERNAM encryption, such as 
one with the infinite index sequence (the ‘running key’) 

(LLOLOOOLOOOOOOOL...) 

L if p = 2 k for some k , 

O otherwise, 


l.e., In = 


gives no advantage compared with a periodic encryption—it is even worse. 
But even a nonperiodic encryption with the key sequence (Axel Thue, 1904; 
Marston Morse, 1921) of the ‘Mephisto-Polka’, as used by Max Euwe in 1929, 

(LOOLOLLOOLLOLOOLOLLO ...) 


has a quite transparent law of key formation, allowing a recursive calculation. 

And the fractal sequence of {0, L}-words 
a 0 = ( 0 ) 

01 = (L) 

a 2 = (O L) 

a 3 = {L O L) 

a 4 = (O L L O L) 

a 5 = {LOLOLLOL) 

a 6 = {OLLOLLOLOLLOL) 

a 7 =(LOLOLLOLOLLOLLOLOLLOL) 


defined by the Lindenmayer term replacement system (Lindenmayer, 1968) 
f 0 -» L 
\L-> 0 L 

also has a transparent law of key formation: for i > 2 it is a, = aj _2 o at- 1 . 
Obviously, nonperiodic sequences can be quite ‘regular’. How easily can a 
nonperiodic index sequence be obtained, that is, a sequence ‘irregular’ and 
nevertheless known to both the encryptor and the authorized clecryptor? 
The idea of taking as a key a text from a widespread book is reinvented 
mainly by amateurs. According to Shannon’s rule “the enemy knows the 
system being used” this leads to a fixed key, with all the dangers already 
mentioned in Sect. 2.6.1. For meaningful key texts in a common language, 
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a systematic zig-zag approach for breaking the encryption exists (Sect. 14.4) 
for Shannon cryptosystems with known alphabets (Sect. 2.6.4). 

8.7.2 Autokeys. It is not surprising that the prospects for deriving a non¬ 
periodic key from the plaintext were discussed very early. The decisive step 
was made by Geronimo (Girolamo) Cardano (1501-1576). After Bellaso had 
introduced polyalphabetic substitution with keys, Cardano used the plaintext 
in his book De Subtilitate in 1550, starting the key over from the beginning 
with each new plaintext word: 

sic ergo element is 

SIC SICE SICE RGOEL. 

NTF ZCLT ZVHRYVIPE 

The alphabet is Z 2 o U {x, y} , the encryption is linear polyalphabetic with 

abcclef ghi 1 mnopqr s t vxyz 
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 

The idea of an autokey (French autoclave, autochiffrant ) was conceived with 
the best intentions, was even fascinating; but Cardano presumably never tried 
it. The encryption is now polyphonic, s and S as well as f and F yield N; 

i and I as well as x and X yield T; c and C as well as p and P yield F, 

etc. The unauthorized decryptor has no more work to find the right combi¬ 
nation among 2 k ones (if the first word has k letters) than the authorized 
decryptor. Bellaso tried to remedy the defect by encrypting the first word 
according to Trithemius, then for each following word the first letter of the 
previous plaintext word and the letters following it were used as keys: 

sic ergo element is 

ABC S T V X EFGHILMNO 

TME ZNDM LRNVPZGYH 

But this was still a fixed method. Then Blaise de Vigenere had the brilliant 
idea of introducing a short, freely selected priming key: He chose at will the 
first letter of the key (say D) and took as further key characters either (1) 
those of the plaintext or (2) those of the cryptotext (‘autokey’): 
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In this case, the polyalphabetic encryption over Z 2 0 (Fig. 82) was a self¬ 
reciprocal PORTA encryption and not a la Vigenere. The second kind, how¬ 
ever, is useless: the key is completely exposed, and the whole message (except 
for the first character) can be decrypted at once (Shannon 1949). 
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Fig. 82. PORTA encryption for Z 20 by G.B. and M.Argenti 


Security is better with the first kind: It is a recurrent method, only knowing 
the first key character helps. But the two dozen or so possibilities are quickly 
tested. A remedy is to use a priming key of some d letters instead of only one 
letter. The combinatorial complexity is nevertheless the same as that of a 
periodic encryption with a key of length d. For sufficiently large d testing is 
no longer feasible, but if the same priming key is used repeatedly for different 
messages, superimposition (Sect. 19.1) may help break it. Thus, the priming 
key should be comparable in length with the message—but then an autokey 
continuation no longer makes sense. 

A further disadvantage is the spreading of encryption errors—a general weak¬ 
ness of all autokey methods. 

Babbage reinvented the autokey—this time even with a mixed alphabet— 
and, although he first thought it to be unbreakable, also gave solutions in 
particular cases. Much later, in 1949, Shannon remarked that recurrent 
VIGENERE encryption is equivalent to VIGENERE encryption of period 2 
— clearly a new case of a complication illusoire. If the plaintext is divided 
into groups a± 02 03 ... of length d and if D is the priming key, then the 
following identities (mod N) hold for the cryptotext C\ C 2 C 3 ... : 

Ci = ai + D , Ci = a,; + ai-i {i = 2, 3, ...) 

and thus the recurrent identities 
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Ci 

— ai + D 

C 2 -Cl 

= a 2 - D 

c 3 -c 2 + C\ 

= a 3 + D 

C 4 -C 3 + C 2 - Cl 

Q 

1 

<3 

II 


and so on, thus the sequence 


Ci , c 2 - <?! , C 3 - C 2 + Ci , C 4 - C 3 + C 2 - Ci , ... 

can be treated like a polygraphic VIGENERE of period 2, i.e., like two al¬ 
ternating polygraphic CAESAR additions. Even the use of a mixed alphabet 
doesn’t change this. An analogous result holds for recurrent BEAUFORT. 

8.7.3 Klartextfunktion. The idea of influencing the keying procedure of 
encryption machines in some hidden way by the plaintext shows up again in 
the patent literature around 1920 (‘influence letter’, in the patent applica¬ 
tion of October 10, 1919, by Arvid Gerhard Damm, Swedish Patent 52279, 
US Patent 1502 376). Thus, with the cipher teletype machines T 52d and 
T 52e of Siemens and SZ 42 of Lorenz, the (irregular) movement of the en¬ 
cryption elements could be further obfuscated (“mit Klartextfunktion ’’) and 
the encryption was practically nonperiodic. However, in the case of noisy 
transmission channels this frequently led to an ‘out-of-phase’ problem with 
the encryption; the Klartextfunktion was therefore, very much to the relief of 
the British decryptors, used only for a few months towards the end of 1944. 

8.7.4 Stream cipher. A recurrent encryption of the kind Cj = f(pi,Pi~ i) 
Cardano, Vigenere, and Babbage used is a special case of the modern stream 
cipher (German Stromchiffrierung) Cj = X(p, ; , kf) , a nonperiodic encryption 
where the infinite key hi is generated by a finite automaton G as key generator 
ki = G(ki-\,pi-i ), with k\ as priming key. The hidden complexity lies in G. 


8.8 Individual, One-Time Keys 

8.8.1 Vernam. Given the fact that recurrent encryption is not much better 
than quasi-nonperiodic encryption, it is still possible that in a secure crypto¬ 
system the sender and receiver are equipped with a theoretically unlimited 
supply of secret keys, each one being genuinely irregular, with no meaning and 
holding no information, being random and used only one time, an individual 
key (British jargon ‘individual tables’, German jargon i-Wurm, Zahlen- 
wurm). Vernam seems to have evolved this idea incidentally in 1918, but 
it spread fast between the two World Wars; early traces can be found in the 
USA, in the Soviet Union, and in Germany. 

8.8.2 Endless and senseless. Major Joseph O.Mauborgne, later Major 
General and Chief Signal Officer, US Army (1937-1941), took heed in 1918 of 
Parker Hitt’s 1914 admonition—“no message is safe in [the Larrabee] cipher 
unless the key phrase is comparable in length with the message itself”—and 
introduced in connection with the VERNAM encryption steps (Sect. 8.3) the 



162 8 Poly alphabetic Encryption: Keys 


concept of a one-time key ( one-time tape, one-time pad, OTP), thus welding 
the epithet endless (infinite) to Morehouse’s (see Sect. 8.3.2) senseless. 

In Germany, Kunze, SchaufScr, and Langlotz in 1921 (if not before) proposed 
blocks with 50 sheets, each one containing 240 digits (in 48 groups of fives) for 
superencryption of numeral codes. Apart from one-time pads, the German 
Auswdrtiges Amt used superencryption by double additives (see Sect. 9.2.1). 
The Soviets, too, changed to the use of individual keys in 1926 after a British 
indiscretion, very much to the distress of Ernst Fetterlein, the specialist for the 
Soviet Union in the British GC&CS. The Soviets kept a liking for individual 
keys; Plate O shows a matchbook-sized sheet found on a Russian spy. 

By their very nature, one-time keys should be destroyed immediately after 
use. With Vernam-type machines, shredding the used key tape can be done 
mechanically. A great practical difficulty is to provide enough key material for 
heavy traffic, in particular in unstable situations on the battlefield. These dif¬ 
ficulties are more manageable for military headquarters, at diplomatic posts, 
or in a strictly two-way spy correspondence—and in such situations one-time 
keys are frequently used, provided the key supply cannot be cut off. 

8.8.3 Practical use. The Wehrmacht introduced in 1943 for its highest com¬ 
mand level teletype machines with an additional key tape reader for one-time 
tapes (Siemens Schliisselfemschreibmaschine T 43, Blattschreiber T typ 37f, 
Fig. 83). They were used in 1944 between the new Funkfernschreibstelle of 
the OKH in GolBen, 50 miles southeast of Berlin and several Army Groups, 
including the Fiihrerhauptquartier in East Prussia, as a substitute for SZ42. 6 
Later, parts of this Funkfernschreibstelle were transferred into the bunker of 
the OKH near Zossen (‘Zeppelin’); in the autumn they were evacuated to 
the area of Bad Reichenhall-Berchtesgaden, in the alleged alpine mountain 
stronghold ‘Serail’. Scarcely more than two dozen machines were brought 
into use. 



Fig. 83. Siemens S chlus s elfernschreib- 
maschine T 43, with 
Blattschreiber T typ 37f 


The US State Department started in 1944 to use SIGTOT, a VER.NAM cryp¬ 
tosystem of the Army with one-time keys for its most secret diplomatic mes¬ 
sages. The Army also used M-134-A (SIGMYC), a five-rotor machine whose 


Presumably identical with the machine called THRASHER in Bletchley Park. 
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rotors were moved by a one-time 5-channel tape. The VERNAM system was 
in January 1943 replaced by a rotor system, too, the M-228 (SIGCUM) devel¬ 
oped by Friedman. After a few days of practical use, Lt. Col Frank Rowlett 
found a weakness of the system, which was therefore temporarily withdrawn 
and replaced in April 1943 by an improved version. 

Just a handful of postwar designs were true one-time key systems, among 
which may be mentioned the Mi-544 from Standard Elektrik Lorenz (Ger¬ 
many), and the Hagelin T-52 and T-55 from Crypto AG (Switzerland). The 
Russians called their one-time tape machine araT (‘agate’; „Achat“, M-105). 

8.8.4 Bad habits. The sequences of letters or digits of an individual key 
should not show any regularity, should be random. Good stochastic sources 
are expensive. Kahn made the following remark on Russian individual keys: 

“Interestingly, some pads seem to be produced by typists and not by ma¬ 
chines. They show strike-overs and erasures—neither likely to be made by 
machines. More significant are statistical analyses of the digits. One such 
pad, for example, has seven times as many groups in which digits in the 
l-to-5 group alternate with digits in the 6-to-0 group, like 18293, as a purely 
random arrangement would have. This suggests that the typist is striking 
alternately with her left hand (which would type the l-to-5 group on a Con¬ 
tinental machine) and her right hand (which would type the 6-to-0 group). 
Again, instead of just half the groups beginning with a low number, which 
would be expected in a random selection, three quarters of them do, possi¬ 
bly because the typist is spacing with her right hand, then starting a new 
group with her left. Fewer doubles and triples appear than chance expects. 
Possibly the girls, ordered to type at random, sensed that some doublets and 
triplets would occur in a random text but, misled by their conspicuousness, 
minimized them. Despite these anomalies, however, the digits still show far 
too little pattern to make cryptanalysis possible.” 

8.8.5 The category of holocryptic methods. If the individual key 
comes from a stochastic source emitting all characters independently and with 
equal probability, then common sense says that the plaintext encrypted with 
this keytext is an ‘unbreakable’ cryptotext, is holocryptic. (The expression 
was used by Pliny Earle Chase as early as 1859.) What this intuitively means, 
seems to be clear at first sight; it is also worth observing that in this book all 
cryptanalytic methods assume preconditions that are violated for holocryptic 
encryptions. But this is no proof; in fact the problem is to give a precise 
formulation of ‘holocryptic’, necessarily one of stochastic nature. The most 
intelligible one so far was given in 1974 by Gregory J. Chaitin, based on the 
work of A. N. Kolmogorov. Following him and Claus-Peter Schnorr (1970), 
we require that for the infinite key sequence of a nonperiodic encryption (see 
Sect. 2.3.3) to be rightfully called holocryptic the following holds: 

For every finite subsequence there does not exist a shorter algorithmic 
characterization than the listing of the subsequence—no subsequence can 
be condensed into a shorter algorithmic description. 
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As a consequence, no sequence generated by a machine, i.e., by a fixed algo¬ 
rithm, is holocryptic. Algorithms in this context are to be understood in the 
universal sense of the Church thesis. Thus, no digit sequences (see Sect. 8.7) 
are suitable that characterize computable irrational numbers. Numbers like 
y/2, \/5, vTf are not suited anyhow, for they can be guessed too easily. 

The set of non-computable real numbers is still very large. It is not known 
whether every non-computable real number defines a holocryptic encryption. 
Note: tests can in the best case disprove, but cannot prove randomness. 

8.8.6 Fabrication of holocryptic key sequences. Physical effects, used 
today for the generation of ‘true’ random keys are based on the superimpo¬ 
sition of incommensurable oscillations or on chaotic nonlinear systems. It 
seems that they are more reliable than the noise effects of vacuum tubes and 
Zener diodes used around 1950, or Geiger counter recordings. Vacuum tube 
noise was used in 1943 for the production of individual keys for the British 
ROCKEX system, a VERNAM encryption that served the highly sensitive 
traffic of the British with the USA -about one million words per day, or in 
more modern terms, the content of four 1.44-MB 2HD floppy disks per day, 
or three 650-MB CD-ROMs per year. 

8.8.7 Misuse of one-time keys. The practical use of one-time keys raises 
its own philosophical problems. Erich Hiittenhain has reported that in the 
Auswartiges Amt , according to the security regulations, each one-time key 
sheet in a block of one hundred should have existed only in one original and 
one copy. In fact, nine copies were made and distributed, with permuted 
ordering, to five diplomatic missions. 

The “Venona breaks” of Richard Hallock, Cecil James Phillips (1925-1998), 
Genevieve Feinstein, and Lucille Campbell into the highest Soviet cryptosys¬ 
tems (attack started on Febrary 1,1943 and was continued until 1980) were 
also achieved on account of occasional re-issue of the same one-time pads. 
Phillips found out in summer 1944 that the first 5-digit cipher group is the key 
indicator. This break later broke the necks of the Soviet spies Julius and Ethel 
Rosenberg, and revealed finally Harold ‘Kim’ Philby, Guy Burgess and Donald 
Duart Maclean, Klaus Fuchs, Harry Gold, David Greenglass, Harry D. White, 
Theodore Hall, and William Perl as spies. On the other hand, the Soviets were 
warned in 1946 by William Weisbancl and in August 1949 by Philby, which 
may have caused the Soviets to stop using the duplicate OTPs after 1949. 

A clear violation of the idea of a holocryptic encryption is the fabrication of 
key sequences by a machine. If then a cryptotext-cryptotext compromise hap¬ 
pens between such a system and, say, a system using additives periodically, 
and if the latter system is duly broken, then the one-time pad with the al¬ 
leged stochastic key lies open. Provided there is enough material, the machine 
that generated the keying sequence can be reconstructed. This happened in¬ 
deed for the German diplomatic cipher Blockverfahren (dubbed GEE by the 
American SIS): The OTP ( i-Wurm ) the German Auswartiges Amt had used 
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showed a regularity and Bletchley Park could even find out what machine was 
involved—a TICOM report (around 1945) states that “Captured files of the 
Foreign Office show that Number Printer apparatus was purchased from the 
German firm Maschinenfabrik Otto Krebs and Clemens Mueller. ... Similar 
apparatus was offered for sale to the British Government on 14 June 1932 by 
the English firm Loranco Ltd., Engineers by a Mr Lorant”. 

8.9 Key Negotiation and Key Management 

8.9.1 Weakness of keys. The single characters of a key serve for the 
formation or selection (see Sect. 2.6) of an encryption step in an encryption 
system. Such a system can be monoalphabetic or polyalphabetic: in any case 
an encryption step should never be used a second time, if scrupulous cipher 
security is required. 

In the monoalphabetic case, an encryption satisfying this requirement must 
be polygraphic with a width that can cover a whole message. This would be a 
great practical inconvenience. Thus, polyalphabetic encryptions with a lesser 
width come under consideration, in particular monographic ones. Moreover, 
the strict requirement never to use an encryption step a second time, may 
be weakened to the requirement of an individual one-time key (Sect. 8.8),— 
i.e., a key never used again as a whole—which shows a complete lack of any 
regularity in the sequence of encryption steps, since this already guarantees in 
the sense of Chaitin and Kolmogorov that the encryption cannot be broken. 
Although before 1930 in the USA, Germany, the Soviet Union, and else¬ 
where individual one-time keys were already highly appreciated for very spe¬ 
cial tasks, their practical drawbacks led to a widespread tendency to accept 
weaker, only relative, encryption security. 

8.9.2 Dangerous key negotiation. It cannot be emphasized strongly 
enough (see Sect. 2.6.1) that the key negotiation between two partners is a 
particular weakness of every cryptological system. To master a frequently 
large distance safely depends (see below) on the reliability of the messenger, 
which is difficult to guarantee, as well as on their availability. 

Therefore, there have been many attempts in the history of cryptology to 
cover the key negotiation itself by cryptological remedies; possibly even by 
steganographic measures. 

Though it may look promising to perform the key negotiation for some cryp¬ 
tological system within this system itself—the more if one is strongly con¬ 
vinced of the unbreakability of such a system; just this should be avoided by 
all means, since a break into the material that is serving for key negotiation 
may then compromise the whole system. At least it is necessary, as the 
German Navy did later in the war by using bigram tables, to submit the key 
negotiation to some additional enciphering in a different kind of system. 

The idea of encrypted key negotiation by a message key indicating the start¬ 
ing position of some mechanical key generator was latent for quite some 
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while and was not only propagated, e.g., for the commercial ENIGMA of 
1923, but also accepted for the 3-rotor ENIGMA of the Reichswehr and of 
the Wehrmacht. The key negotiation was then the entry point for the break 
the young Polish mathematicians succeeded with in 1932 against the German 
ENIGMA enciphered traffic. The German side—except for the Navy—had 
strongly underrated the capabilities of their adversaries and had not consid¬ 
ered it necessary to make the procedure of key negotiation more complicated; 
always with the excuse, not to burden more than necessary the capacity of 
the signals traffic and the capabilities of the cipher clerks. 


Extravagant methods to bypass such a vulnerable key negotiation are feasible, 
for example, by using two encryptions X^ 1 ), X^ 2 ) that commute: 


( 1 ) ( 2 ) ( 2 ) ( 1 ) 

Xi Xi X = Xi Xi X , 


say two VIGENERE or VERNAM encryptions. In this case, the sender en¬ 
crypts his plain message with X^ 1 ) according to a key A/ 1 ) chosen at random 
by him; the recipient applies X (2 ) according to a key A/b chosen at random 
by him and sends this new cipher back to the sender. This one interprets 
it because of the commutativity of X^ 1 ) and X^ 2 ) as a message he has en¬ 
crypted, which he can decrypt by means of his key k 1 ) . The partly decrypted 
message he sends now to the recipient, who in turn interprets it as a message 
he has encrypted, which he can decrypt by means of his key k ® . Thus, 
he obtains the original plain text. The disadvantage of this method is the 
need for a threefold transmission. If the message is short, this can be toler¬ 
ated. Therefore the method would be good for transmitting vital information 
like passwords or a key to be used subsequently by some different encryp¬ 
tion method. Since after all neither the plain message nor one of the keys 
are transmitted openly, the method seems to be safe. However, the devil 
is lurking already, as the following simple example with two VIGENERE 
encryptions over Z 26 shows: 

Sender A chooses key A Q S I D, which is not known to the recipient. 
Recipient B chooses key P Z H A F, which is not known to the sender. 


The plaintext /image/ is encrypted by the sender 
with A Q S I D : 

I C S O H is sent to the recipient, 
who encrypts it with P Z H A F : 

X B Z O M is sent back to the sender, 
who decrypts it with the help of A Q S I D: 

X L H G J is finally sent back to the recipient, 
who decrypts it with the help of P Z H A F: 
and thus obtains the message /image/ . 


i mage 
+ A Q S I D 

I C S O H 

I C S O H 

+ P Z H A F 

X B Z O M 

X B Z O M 

-AQS I D 

X L H G J 

X L H G J 

- PZHAF 
i mage 
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Over the open transmission line the two signals X B Z O M 
and I C S O H are sent, whose difference exposes the key of B : 

(likewise, XBZOM and X L H G J expose the key of A). 

This means that by decrypting X L H G J with the help of 
this key P Z H A F the plaintext /image/ is compromised: 


The reason for this possibility of a break is that the keys form a group with 
respect to the composition of encryptions (see Sect. 9.1) and moreover one 
that is typical for the encryption method -the cyclic group of order 26. The 
encryption steps can be expected to be known. 

A safeguard against the break is only given if at least one of the two decryp¬ 
tion processes is made so difficult that it is practically intractable. This 
amounts to using an encryption method where the knowledge of an en¬ 
cryption key does not suffice to derive the decryption key efficiently. Such 
a thought was expressed in 1970 by James H. Ellis (fl997), and Clifford 
Cocks found in 1973 in the multiplication of sufficiently large prime numbers 
the wanted practically non-invertible operation, as disclosed in 1998 by the 
Communication-Electronics Security Group of the British Government Com¬ 
munications Headquarters (G.C.H.Q.). But if so, then the recipient B might 
as well publicly announce the key to be applied for messages that B should 
be able to decrypt. Moreover, the first and second steps of the method can be 
omitted. This produces the idea of an asymmetric encryption method, pub¬ 
lished in this form for the first time in 1976 by Whitfield Diffie and Martin 
E. Heilman—see more in Sect. 10.1.2 . The British were forced to keep silent 
and had to watch how their discoveries were repeated three years later. 

For asymmetric encryption, a clever realization for this secure key negotiation 
‘without exchanging keys’ was patented for Diffie and Heilman in 1980. The 
idea was found in 1974 by Malcolm Williamson, a colleague of Cocks. 

8.9.3 Hierarchical key management. As soon as a communications 
network includes a large number of nodes and links, “key handling” is to be 
extended to “key management” . The secure distribution of keys becomes the 
most difficult task of a key management scheme. Keys in transit must be pro¬ 
tected from interception. Keys can be distributed on a secure path manually 
by couriers (preferred by diplomats and the military) or by registered mail 
(formerly preferred by commercial users) while telegraph, telephone, telefax, 
and the Internet are dubious. Normally the older channels cannot be utilized 
for the transmission of the secret message itself because they are too slow and, 
in most cases, too expensive. Frequently, they cannot safely carry the full 
load of messages. Moreover, the safe insertion of keys into a cryptosystem, 
with tamperproof key carriers and “emergency clear” devices, belongs just 
as much to good key management as certification of the quality of keys. 


XBZOM 
-I C S O H 
P Z H A F 

X L H G J 
- P Z H A F 
i mage 
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Key management schemes that include key registration and allotment run 
a risk, which can be reduced steganographically by a special abbreviation 
nomenclature. 

Following this line of thought and guided by practical requirenments, key 
hierarchies with different security levels (master key systems, use of primary, 
secondary, and tertiary keys) come under consideration. To give an example, 
the primary key may be machine-generated, but since the machine itself may 
fall into the hands of an enemy, a secondary key may be used, valid only for 
a rather short message, say of not more than 250 characters, and protected 
mildly by a system different from the main system, but which is also not 
unbreakable. Therefore a tertiary key transmitted by safe means is used 
that may hold for a longer period—say one clay. 7 For example, the Key Ex¬ 
change Algorithm (KEA) developed by NSA, using a key length of 1024 bit, 
declassified in June 1998 by the US Department of Defense, is protected by 
the intractability of computing the discrete logarithm, see Sect. 10.2.4.2. 
Such hierarchical systems render the task of key management even more 
complex. Moreover, they run the risk of a step-by-step attack: Compromise 
the key generator, compromise the secondary key, compromise the complete 
system. This is particularly dangerous if the key negotiation for the secondary 
key is done within the primary system: a one-time break may lead only too 
easily to a permanent break. 

All the rules of key management hold also for individual one-time keys. They 
trivially comply with Hitt’s admonition that the key text length be equal to 
or greater than the plaintext length. But this high consumption excludes 
the genuine unbreakable systems in many practical cases. Therefore they 
have increasingly been superseded by provably strong 8 pseudorandom key 
sequences (Manuel Blum and Silvio Micali, 1984), defined as superencryption 
of periodic key sequences of extremely long, guaranteed minimal period by 
some specific one-way function without a known trapdoor like the discrete 
logarithm (Sect. 10.2.4.2). 

Progress in storing techniques may mitigate some of the practical disad¬ 
vantages of the distribution of individual one-time keys in great quantities. 
Lightweight memory disks (CD-ROMs) with a density of gigabytes per deca¬ 
gram give individual, one-time keys a new chance to be used in high-level 
diplomatic, strategic military, and commercial links where there is a real 
need for absolute unbreakability. 


' For the example of the Wehrmacht ENIGMA, according to the procedure that held 
from July 8, 1937 until September 15, 1938: the primary key is machine-generated, 
a secondary message key (indicator) determines the starting position of the rotors of 
each message, a tertiary Tagesschlussel (Fig. 63) comprises wheel order, ring setting, 
basic wheel setting (“ Grundstellung "), and steckering. However, the primary and the 
secondary cipher systems were identical; and the tertiary key was transmitted by courier. 

8 Many so-called pseudorandom keys are ‘more pseudo than random’ (Tony Sale). 
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Let us recall that an encryption X : V* ->- W* is usually finitely generated 

by a cryptosystem M . Let M* denote the set of all encryptions defined in this 
way by M. An encryption method S' is a subset of M* . There is the subset 
M d of periodic encryptions with key sequences of period d , and the subset 
M°° of encryptions with non-periodic computable infinite key sequences. 

A composition of two encryptions by serial connection of their encryption 
steps requires that the cryptotext space of the first method coincides with 
the plaintext space of the second method. 

Amateurs are inclined to believe that the composition of two classes of meth¬ 
ods offers more resistance to unauthorized decryption than either of the two 
alone. That is not necessarily so. The second method can even partly or 
completely counterbalance the effect of the first. To give an example, let S be 
a simple substitution, generated, as usual, by a password, say the following, 
which could well come from Bazeries: BASEDOW’S DISEASE IS CURABLE . 
The substitution is then 

abccle f ghi j klmnopq r s tuvwxyz 
BASEDOW I CURL F GHJKMNPQTVXYZ 

In fact, it has four 1-cycles, two 2-cycles, and one 18-cycle. Applied twice it 
results in 

abccle fghi j k lmnopqrstuvwxyz 
ABNDEHV CSQML O W I URFGJKP T XYZ 

where eight letters, included the frequent vowels /e/ , /a/, are invariant. 

9.1 Group Property 

Some cryptosystems M with V = W have the property that the composition 
of two encryption steps from M does not lead outside M . One says that such 
a cryptosystem forms a group. Examples are the group V 26 of all simple 
substitution steps over Z 2 6, the group V 2 a of all transpositions of width 24. 
For other endomorphic cryptosystems this is not necessarily so: the set of 
monocyclic simple substitution steps does not form a group, since the group 
identity is not monocyclic. The examples in Sect. 7.2.4 show that the set of 
ALBERTI encryption steps and the set of ROTOR encryption steps for some 
primary alphabets do not form a group. The composition of such steps increa¬ 
ses the combinatorial complexity. This justifies the use of three and four 
rotors in the ENIGMA. The group property would be detrimental. 
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9.1.1 Key groups. However, if a cryptosystem M forms a group, then 
the composition of two Xs,Xt G M is some G M, where t is uniquely 
determined by s and t: l = s • f . Thus % s (xt (p)) = Xs»t (p) ; . • . is the group 
composition of the key characters, which form a key group (‘key space’). 

An endomorphic injective cryptosystem is ‘pure’ (see Sect. 2.6.4) and thus 
has a key group; it has been called ‘closed under composition’ by Salomaa. 

9.1.2 Composition of methods. Examples of endomorphic encryption 
methods that form a group with respect to composition of its encryptions 
are the group of all linear substitutions of a given width n, the group of all 
polyalphabetic (monographic) substitutions of a given period d, or the group 
of all block transpositions of a given width n . 

The composition of two encryption methods (‘product encryption’) leads in 
general, however, to a new encryption method, although often to a related 
one: the composition of two general or linear polyalphabetic encryption meth¬ 
ods with the periods d\ and c ?2 is a general or linear polyalphabetic encryp¬ 
tion method with the period lcm(di ,df ); analogously for block transposi¬ 
tion of width ni and n 2 . For substitutions, this was already pointed out by 
Babbage in 1854. Here, too, the combinatorial complexity is increased. 
Sometimes, the composition of two endomorphic encryption methods is com¬ 
mutative, like the composition of the group of all simple substitutions with 
the group of all block transpositions of a given width n. If two encryption 
methods, each one being a group, commute, then the product encryptions 
also form a group (Shannon: “The product of two pure ciphers which com¬ 
mute is pure.”) 

9.1.3 T52. The encryption steps of the cipher teletype machines made by 
Siemens worked over Z 2 and used a composition of pentagraphic substitutions 
(VERNAM steps operating on the 5-bit code groups) and transpositions of 
the five bits (permutation of their positions)—in group-theoretic terms a sub¬ 
set of the hyper-octahedral group of order 2 5 • 5! = 3840. They were based 
on a patent applied for by August Jipp and Ehrhard Rossberg on July 18, 
1930. The models T 52a and T 52b were used by the Kriegsmarine from 
1931; the model T 52c was first used by the Luftwaffe , and by mid-1941 was 
used generally by the Wehrmacht ( Geheimschreiber , British code-name ‘stur¬ 
geon’). It is estimated that about 1000 machines were built over the years. 

Encryption and decryption were controlled by ten cipher wheels w s , each one 
operating a binary switch i s with i s = 0 or i s = 1, s = 1...10 . Five wheels 
W 1 ...W 5 performed on Z 2 32 VERNAM substitutions, five more wq...w 10 per¬ 
formed transpositions generated by 2-cycles. In the T 52b this was the set 
{(12)* 6 (23) i? (34)* 8 (45)* 9 (51) il0 } ; since' (12)(23)(34)(45) = (23)(34)(45)(51) 
= (54321) and (23) (34) (45) = (12) (23) (34) (45) (51) = (5432), the number of 
different ones among these transpositions is 30. Altogether, the ten wheels 
generated 960 alphabets. In the T52c, developed under Herbert Wiisteney 
(1899-1988), a message key could be easily changed. In the T52e, due to new 
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circuitry, only 16 different substitutions and 15 different transpositions oc¬ 
curred, reducing the number of alphabets used for one message to 240 (in the 
T52c, the number was only 120). 

The movement of the cipher wheels was controlled by their having 47, 53, 
59, 61, 64, 65, 67, 69, 71, and 73 teeth; at each step all wheels were moved 
by one tooth, which gave a kind of a regular wheel movement with a period 
of 47 • 53 • 59 • 61 • 64 • 65 • 67 • 69 • 71 • 73, i.e., about 10 18 . 

The T 52d and T 52e (introduced in 1943 and 1944) were variants of T 52b and 
T 52c, respectively, featuring more “irregular” intermittent wheel movements 
and supporting an optional Klartextfunktion. The T 52b (1934) was different 
from the early T 52a only with respect to improved interference suppression. 
Towards the end of the war, the cipher teletype machine SFM T 43 was built 
in a few copies by Siemens. It used an individual, one-time key (Sect. 8.8.3). 

9.1.4 SZ. Cryptologically simpler was the cipher teletype machine SZ40, 
SZ42, SZ42a (Schliisselzusatz made by Lorenz, code-name ‘tunny’. It per¬ 
formed only VERNAM substitutions, correspondingly the encryption was 
self-reciprocal. In the SZ 42 (Plate N) a first group of five cipher wheels with 
41, 31, 29, 26, and 23 teeth (called y-wheels by the British) operated with 
VERNAM steps on the 5-bit code groups; at each step all y-wheels were 
moved by one tooth. A second group of five cipher wheels with 43, 47, 51, 
53, and 59 teeth (called -^-wheels) operating likewise with VERNAM steps 
on the 5-bit code groups, followed serially. Two more wheels (called motor- 
wheels) served for irregular movement only; one, with 61 teeth, moving with 
the y-wheels, controlled another one with 37 teeth, which in turn controlled 
the simultaneous (a weakness!) movement of the ^-wheels. The period was 
more than 10 19 . All wheels could be arbitrarily provided with pegs control¬ 
ling the VERNAM switches and could also be brought to arbitrary initial 
settings. 

9.1.5 Olivetti. Much less is known about the practical use of this cipher 
teletype machine (Italian Patent 387482, January 30, 1941), which had only 
five cipher wheels and two motor wheels, causing a weak irregularity. 

9.2 Superencryption 

9.2.1 Superencryption. Also called superenciphering (USA), reciphering 
(UK), or closing (French surchiffrement , German Uberchiffrierung , jargon 
also Uberschliisselung) , it is a common case of a product encryption: a literal 
or numeral code is encrypted again. VIGENERE over Z 10 , i.e., with N = 10, 
is used for numeral codes; the corresponding addition modulo 10, i.e., with¬ 
out carry, which in military parlance was called symbolic or false addition, can 
be performed on a mutilated adding machine (Sect. 8.3.3). As early as 1780, 
Benedict Arnold, a spy for Britain in the New England states, used the overall 
addition of 7 modulo 10 to code groups, i.e., an ordinary CAESAR addition, 
for superencryption. If instead, for fragments of width m, i.e., in the crypt 
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width of the code, a number is added modulo 10 m (a polygraphic CAESAR 
addition), one speaks of an ‘additive’. The use of additives in connection with 
codes became widely known in the 19th century when commercial codebooks 
began to appear. One particular kind of double superencryption went as 
follows: Codebooks that had both numerical and literal codegroups (e.g., 
Fig. 40) were used to retranslate the numeral code obtained by adding the 
additive into literal code. This is of particular interest if the additive, for 
ease of numerical computation, is very special, like 02000. In 1876 J. N. H. Pa¬ 
trick was convicted of having used such a system in a corruption affair in the 
US Congress. The US Navy used the system in the Spanish-American War 
in 1898, and it was considered to be the most secure and advanced code sys¬ 
tem of the day—provided the additive was changed at rather short intervals. 

The Foreign Office of the Deutsches Reich used from 1919 a double superen¬ 
cipherment of a 5-digit numeral code (“Deutsches Satzbuch”, DESAB). The 
pairs of additives, each one covering six five-digit groups, were taken from a 
book of 10 000 lines; added up that gave 50 000 000 possible unique key se¬ 
quences. The British tried for a long time without success to break into what 
they had dubbed FLORADORA (SIS: GEC, KEYWORD), and what the 
Germans had named Grundverfahren. However, in May 1940 in the German 
Consulate in Reykjavik (Iceland) they seized cipher documents including a 
complete copy of the DESAB 3 codebook and ten lines of additive. At first 
this gave no more than slight progress achieved by testing on stereotypical 
expressions. Then, in 1942, the British Consul in Lourengo Marques, the 
capital of Portuguese Mozambique, obtained by lucky circumstances the ad¬ 
ditives for the next two months. In 1943-1944, P. W. (‘Bill’) Filby and the 
reactivated E. C. Fetterlein in Bletchley Park, together with S. Kullback in 
Washington, succeeded in the reconstruction of the complete additive books. 

Transposition may also be used for superencryption: F. J. Sittler, one of the 
most successful code makers, recommended shuffling the four figures of his 
code groups. If this transposition is kept fixed, however, the effect of su¬ 
perencryption is just a new code, no more secure than the old one. If a 
transposition is used, its width should be prime relative to the codelength. 

9.2.2 Need for superencryption. In particularly sensitive and revealing 
cases—dates and clock times, coordinates, names and so on—composition of 
a code with a rather independent superencryption method is strongly indi¬ 
cated. Superencryption of some code with a bipartite bigram substitution is 
an example—it was used for a 3-figure front-line code ( Schliisselheft ) in the 
First World War by the German Army after March 1918. ENIGMA superen¬ 
cryption was used for the map grid (Sect. 2.5.2.1) of the Kriegsmarine. 

9.2.3 Plugboard. A fixed superencryption of the ENIGMA encryption 
was accomplished by the plugboard (Sect. 7.3.3). The substitution was self¬ 
reciprocal, but this was not necessary, for an arbitrary substitution would 
have preserved the self-reciprocal character of the ENIGMA, but disallowed 
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Welchman’s diagonal board. However, other cryptanalytic methods of the 
Polish and the British (Zygalski sheets, Turing bombs) were insensitive to 
‘steckering’ and would have worked for an arbitrary plugboard substitution. 

9.2.4 ADFGVX. An early case of a thorough amalgamation by a product 
encryption is the ADFGVX system of the German Army, invented in the 
First World War by Lieutenant Fritz Nebel (in the Second World War signal 
and communications officer in the Luftwaffe) and introduced under General 
Ludendorff on the Western Front in 1918, with a bipartite 6x6 Polybios sub¬ 
stitution (Sect. 3.3.1) in the alphabet {A, D, F, G, V, x} of clearly distinguish¬ 
able Morse signals (Sect. 2.5.2) and a transposition of width 20 . The key was 
changed every day, and it cost the French cryptologist Georges-Jean Painvin 
at least a full day to decrypt the signals—if he could solve them at all. 

9.2.5 ENIGMA superencryption. In the ENIGMA key net of the Kriegs- 
marine, messages of particular importance were superencrypted a second time 
with the ENIGMA, using message settings denoted by ANTON, BERTA, ... 
from a list of 26, changed each month; this was to be marked with the plain¬ 
text discriminant (German Kenngruppe) ‘ offizier ’. The reason was crypto¬ 
logical in nature, but directed against another audience: it screened infor¬ 
mation from the rank and file. Late in the evening of July 20, 1944, a signal 
was circulated to all German ships, and was decrypted in Bletchley Park: 

OKMMM ANANA LLEXX EINSA TZJWA LKUER EJNUR DURCH OFFIZ IERZU ENTZI 
FFERN OFFIZ IERJD ORAJD ERFUE HRERJ ADOLF HITLE RJIST TOTXD ERNEU 

EFUEH RERIS TFELD MARSC HALLJ VONWI TZLEB ENJ . 

Walter Eytan [Ettinghausen], in charge of Z Watch in Hut 4, Bletchley Park, 
did not know how macabre the wrong news was; anyhow he kept it secret from 
the ever-present ‘Wrens’, young ladies of the Women’s Royal Naval Service. 
Eytan remarked dryly: “Der letzte Witz seines Lebens”(last joke of his life). 

9.3 Similarity of Encryption Methods 

Shannon calls two classes of encryption methods S , T similar, if there exists 
(independent of the keys) a one-to-one mapping A of the set of cryptotext 
words of T into the set of cryptotext words of S such that 
for all TeT there exists S £ S : S = AT , i.e., S(x) = AT(x ) for all x. 
Encryption methods from similar classes are cryptanalytically equivalent: one 
can assume that A is known (Kerckhoffs’ admonition as stated by Shannon: 
“The enemy knows the system being used”). A possible way to break T is 
then also suitable to break S . Classes of similar encryption methods are: 
CAESAR methods and reversed CAESAR methods 

{A is the ‘inverting’ substitution (Sect. 3.2.1) of the cryptotext), 
VIGENERE methods and BEAUFORT methods 

{A is again the ‘inverting’ substitution of the cryptotext), 
simple columnar transposition methods and block transposition methods 
( A is the matrix transposition of the cryptotext). 
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DOUGH 



ROLL IT 



FOLD IT 



ROLL IT 



(REPEAT) 


Fig. 84. Production of pastry dough 


9.4 Shannon’s ‘Pastry Dough Mixing’ 

The composition of a multipartite monographic substitution and a trans¬ 
position is not commutative. The composition of a proper polygraphic sub¬ 
stitution of width k and a transposition of width k is not commutative. 
The composition of a simple substitution and a VIGENERE method is not 
commutative. Shannon has pointed out in 1945 that the composition of 
non-commuting encryption methods works like a thorough “pastry dough 
mixing” 1 (Fig. 84), as studied by Eberhard Hopf in compact spaces 2 . 



Fig. 85. Modular transformation 


9.4.1 Confusion and diffusion. Intuitively, a composition will be effi¬ 
cacious, if the composed methods not only do not commute, but the one is 
rather independent of the other, like transposition, performing a ‘diffusion’, 
and linear polygraphic substitution, performing a ‘confusion’. If the product 

1 N. J. A. Sloane, Encrypting by Random Rotations. Lecture Notes in Computer Science 
434, Springer 1990 . 

2 Eberhard Hopf, On Causality, Statistics and Probability, Journal of Mathematics and 
Physics 13 , pp. 51 102 (1934). 
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Fig. 86. FLB’s resurrection 


encryption is not a group, it may be iterated and its combinatorial com¬ 
plexity further increased. In the discrete spaces of encryption, however, any 
iteration of a fixed transformation is finally periodic and in the end the Hopf 
mixing is an illusion. This is shown in the following example of an iterated 
two-dimensional picture transformation which in the first steps displays quite 
convincingly its amalgamation character. 

The transformation step consists of a reflection with affine distortion, followed 
by a reduction to the basic format by cutting off and pasting back protruding 
corners (Fig. 85). The result of successive transformation steps is shown in 
Fig. 86. At first, it looks as if the portrait of FLB is going to be totally mixed 
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Fig. 87. Modular transformation T 


up, but after 48 steps a texture turns up and after 192 steps it reappears 
fourfold like a ghost, and after 384 steps the original picture is restored. A 
picture encryption of this kind with a high number of iterations carries the 
danger of not concealing anything. 

9.4.2 Heureka! The phenomenon can be explained: We consider the 
square Q : 0<x<l,0<y<l with toroidal connection and on it the 
modular transformation (Fig. 87): 

( x' = y 

F:< f x + y — 1 if x + y > 1 

\x + y if 0 < a: + y < 1 

The local affine distortion, the reflection included, is given by the matrix 
T = ^ ^ , which has shown up already in Sect. 8.6.1. Note that 



Fig. 88. Modular transformation T 2 


Figure 88 shows the effect of T 2 with the local affine distortion due to the 
matrix 




3 


See F. L. Bauer, Efficient Solution of a Non-Monotonic Inverse Problem. In: W. H. J. 
Feijen et al. (eds.), Beauty is our Business. Springer 1990, pp. 19-26. 
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Figure 89 finally shows the effect of T 4 with 



Fig. 89. Modular transformation T 4 
Here it can already be seen that the pattern of the four points 



is rotated by 180° . Correspondingly, these four points are already fixpoints 
for T 8 with the matrix 

(! !) 8 = (" £)-(; ?) + 3 (t 7 u) 

For T 16 with the matrix 

( 0 1V' 6 f 610 987 \ (l 0\ / 29 47 \ 

\1 l) ^987 1597 J ^0 1/ ^47 76/ 

additional fixpoints appear, in fact 
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(0 iy / f^\ 29i + 47k\ 

u v U; {lJ + {47 ^ +76k) ■ 

Thus, all 400 points with the coordinates (y , ^y) , 0 < i < 21,0 < fe < 21 
are fixpoints of T 16 . T 48 has the matrix 


46 368 


64079 
103 682 


103 682 
167761 


64079 i 
103682 i- 


103682 k 
167761 k 


This results in 46367 2 = 199 2 • 233 2 ss 2.15 • 10 9 fixpoints. Outside these 
points there is a thorough amalgamation. However, if the blackening is re¬ 
stricted by screening to a grid, then the resurrection of the picture is under¬ 
standable when the set of fixpoints fits the set of mosaic points. Note that 
46368 = 2 5 • 3 2 • 7 • 23 . Thus, 


mod 2 5 = 


This means that in the example of Fig. 86 a screening process of 32 x 32 
mosaic points would have led to resurrection after 48 steps. Actually, the 
screening was done with 256 x 256 mosaic points. Now, 


mod 2 8 = 


mod 2 8 = 


mod 2 8 = 


mod 2 8 = 


2 971215 073 
4 807 526 976 


4807 526 976 
7778 742 049 


mod 2 8 = 


mod 2 8 = 


mod 2 8 = 


mod 2 8 = 


Thus the result that supplements the table in Sect. 8.6.1: N = 256, r = 384. 
The chosen example of a two-dimensional picture encryption could be carried 
over to text encryption by transposition, of course. 

9.4.3 Shannon. He recommended quite generally compositions SFT , 
where S and T are classes of relatively simple methods and F is a (fixed) 
transformation (a barrier) achieving a thorough amalgamation. In the exam¬ 
ple of tomographic methods (Sect. 4.2) this would be the sandwiched trans¬ 
position, in the example of mixed-rows columnar transposition (Sect. 6.2.3) 
the matrix transposition. In modern applications it could be a chip, defining 
a family of 64 polygraphic substitutions of width 64 bits. A warning seems to 
be appropriate: blind confidence in the efficacy of such barriers is not justi¬ 
fied, for there is always the danger of an illusory complication. Furthermore, 
the better the amalgamation, the more a local encryption error will propagate 
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over the whole cryptotext. Much worse, a local error in the transmitted cryp¬ 
totext will spread over the whole decrypted plaintext (“avalanche effect”), 
making it completely unreadable; with all the bad consequences (Chapter 11) 
in case of a repetition. In this sense, good amalgamation is dangerously good. 

9.4.4 Barriers. Tomographic methods achieve a simple, practical and 
rather effective amalgamation by using first a multipartite substitution, where 
the barrier is a special transposition, namely, a cutting into pieces and re¬ 
assembling of the intermediate cryptotext, and finally by applying a multi¬ 
graphic substitution. 

It seems that the idea originated with Honore Gabriel Riqueti Comte de 
Mirabeau (1749-1791), a French publicist and politician before the time of 
the French Revolution. After a bipartite, one-to-one Polybios substitution 
(Sect. 3.3.1) Z 25 —> Z 5 x Z 5 he grouped together all the first digits, then all 
the second digits. For the regrouping, he applied the inverse Polybios substi¬ 
tution Z 5 x Z 5 —> Z 25 . (This was presumably followed by a steganographic 
method —Bazeries, claiming that he had decrypted some authentic letters of 
the Marquise Sophie de Monnier to her famous lover Honore de Mirabeau 
and mentioning the teneur pornographique, does not give further details, but 
makes the remark in connection with Boetzel and O’Keenan, Sect. 1.2). The to 
and fro Polybios substitution Z 25 <—> Z 5 xZ 5 also interested young Lewis Car- 
roll (diary note of February 26, 1858). Alexis Kphl used a Z 25 <—>Z 10 x Z 10 . 


9.4.5 Damm and Hagelin. Instead of a transposition, the barrier can 
also be from a family of linear transformations, e.g., a VIGENERE or BEAU¬ 
FORT over Z 5 . This is the basic idea of the “Nihilist number-ciphers” (as 
Helen Fouche Gaines calls it) which can be operated with a periodic or with 
a running key. In this way was the to and fro Polybios substitution used in 
the early cipher machines B-21, B-211 of Boris Hagelin. Hagelin used two 
of Damm’s half-rotors with ten positions to obtain for each of the two Poly¬ 
bios Z 5 ten different permuted 5-letter-alphabets; altogether 100 different 
alphabets resulted. The rotor movement was accomplished by two pairs of 
pin wheels with 17, 19, 21 and 23 teeth. The B-211 also had a plugboard. 


9.4.6 Mirabeau Improved. Felix Marie Delastelle 4 also discussed a to¬ 
mographic method more general than his local one mentioned in Sect. 4.2.3: 
the regrouping of larger pieces than Mirabeau (Sect. 9.4.4) had done. For the 
regrouping he proposed a longueur de seriation, e.g., 7 in the following exam¬ 
ple with a Polybios substitution derived from the password BORDEAUX: 


e n v o y e z 

14 5 15 15 
5 3 3 2 4 5 5 

14 51 51 55 33 24 55 
D S S Z I C Z 


u n b a t a i 

2 4 1 2 5 2 3 
2 3 112 13 

24 12 52 32 31 12 13 
CO T H G O R 


1 1 o n i n f 

4 4 1 4 3 4 2 
1 1 2 3 3 3 5 

44 14 34 21 12 33 35 
P D J A O I K 


anterie 

2 4 5 1 1 3 1 
1 3 2 5 3 3 5 

24 51 13 11 32 53 35 
C S R B H V K 


4 Felix Marie Delastelle, 1840-1902. Author of Traite Elementaire de Cryptographie, 
Gauthier-Villars, Paris, 1902. 
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Delastelle was practical enough to choose a seriation length ( longueur de 
seriation) that was not too large: an encryption error would otherwise spread 
over the whole message (see Sect. 11.3). But the danger of unauthorized 
decryption is higher. 

9.4.7 Other methods. Delastelle also discussed tomographic methods 
on the basis of a tripartite substitution (Sect. 4.1.3). Other tomographic 
methods used the ternary Morse code, e.g., a method called POLLUX and a 
reversed Kidissenverfahren by M. E. Ohaver, which in the following example 
uses encryption width 7 : 

s 

Morse symbols 
code length 3 

reversed 4 

regrouped symbols 

H 

9.5 Confusion and Diffusion by Arithmetical Operations 

A thorough amalgamation is accomplished in particular by arithmetical op¬ 
erations. A method liked by mathematicians, recently rediscovered, is based 
on an arbitrary monoalphabetic block encryption of a message as a sequence 
of numbers, followed by an encryption of each one of these numbers by arith¬ 
metical operations modulo a suitable number q , possibly with re-encryption 
into literal form (‘symbolic (false) addition, subtraction, multiplication’). 

Addition modulo q, as well as multiplication by a factor h modulo q , was 
discussed in connection with linear substitutions (Sect. 5.7). Likewise the r-th 
power modulo q can be formed. These operations are increasingly amalga¬ 
mating: multiplication as iterated addition, powering as iterated multiplica¬ 
tion. We will see that if the inverse operations exist, they provide authorized 
decryption for roughly the same effort as needed for encryption. 

For given q , a plaintext block can be encrypted whose number equivalent x 
fulfills the condition 0 < x < q. The encryption as a number can even be 
performed by customary numeral codes; this brings about a compression 
that can be considerable for stereotyped texts: standard commercial codes 
comprise on average 8.5 plaintext letters per five-digit group. 

The number representation can be in any number system for the basis B with 
B > \V\ that is convenient and allows fast carrying out of the arithmetical 
operations. With V = Z 26 frequently the basis B= 100, i.e., essentially de¬ 
cimal arithmetic (^o) with digit pairs was used, or the basis B = 32, i.e., 
essentially binary arithmetic (fZ\) with five-bit groups. 

Today, bytes (5 = 256), 16-bit groups (B = 2 16 ), 32-bit groups (5 = 2 32 ), and 
64-bit groups (5 = 2 64 ) are commonly used. 


e n 

1 2 
3 3 

K S 


cl s 

3 3 

3 2 

S A 


u p 

3 4 

1 3 

E G 
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9.5.1 Residue classes arithmetic. For the method of multiplication 
with a factor h modulo q, 

Mh(x) = x ■ h mod q , 

the necessary preparations have been made in Sect. 5.7 . 

For prime q = p, the multiplication modulo p forms a group; for every 
h ^ 0 mod p there exists an inverse h! such that h ■ hi mod p = 1 , thus 
for the multiplication in the Galois field F(p): 

M h ’(M h (x)) = x . 

For non-prime q , h has an inverse (h is regular with respect to q) if and 
only if it is relatively prime to q (Sect. 5.6). 

For technical reasons, q is frequently chosen to be of the form q = 2 k or 
q = 2 fc — 1 if computation is done in the binary system; in the decimal system 
correspondingly q = 10 fe or 5 = 10 fc — 1. In the first cases the result is 
directly found in the lower part of the accumulator (Sect. 5.7.1). In the case 
q = 2 k , only the odd numbers have inverses; in the case <7 = 2 fe — 1 , the 
non-prime q should be avoided —then one is limited to Mersenne primes. 

For large values of q the determination of the inverse hi of a given h looks 
non-trivial only at first sight: the division algorithm by successive subtraction 
functions also for the cycle of numbers mod q ; in fact, an analogue to the 
fast division algorithm we customarily perform in a positional system for Z 
was given in Sect. 5.7.1 for Z q = {0 , 1, 2, 3, ... , q — 1} C Z . It can be 
brought into the form shown in the following example: 

17 • hi = 1 mod 1000 


-1 

16 

33 

50 

220 

390 

560 

730 

900 

2600 

4300 

6000 


3 


5 


3 


thus 17 • 353 = 6001 = 1 mod 1000 . 

It is easy to program a microprocessor to do this efficiently. Once 11 is 
determined, decryption needs the same effort as encryption. 

If q is the product of two (different) primes, q = p' ■ p" , and if 
h ■ = 1 mod p' and h-hl 2 = \ mod p" , then h ■ hi = 1 mod q , where 

hi = h'i mod p' and 11 = h' 2 mod p". 

The residue arithmetic reduces the effort for the determination of hi con¬ 
siderably. 
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9.5.2 Powering. The following can be stated for the method of raising a 
number to a fixed power h modulo q , 

P h (x) = x h mod q (x° = 1): 

For prime q = p, if for some h' h ■ h! = 1 mod p—1 (therefore h relatively 
prime to p—1), then Ph'(x) is inverse to Ph(x) . Thus, for the raising to a 
power in the Galois field F(p) 

Ph'(Ph(x)) = x . 

Proof: To begin with, 

Ph'(Ph(x)) = x h h ' mod p = x h {h ' mod p-i+*-(p-i)) mod p for su i ta ble a 
= x hh ‘ mod p - 1 ■ x ha <P- 1 '> mod p 
= x 1 -{x p ~ 1 mod p) ha 

From Fermat’s theorem, x p ~ 9 mod p = 1, thus 

Ph’(Ph{x)) = X . CXI 

Examples: Mutually reciprocal pairs (h,h r ) can be found in Sect. 5.5, 
Table 1, e.g., 

for p = 11: (3,7) and (9,9) (N = 10); 

for p = 31: (7,13), (11,11), (17,23), (19,19), and (29,29) (AT = 30); 

for p = 23: (3,15), (5,9), (7,19), (13,17), and (21,21) (AT = 22). 

Case p = 11: 

x 3 mod 11 has the cycle representation (0) (1) (2 8 6 7) (3 5 4 9) (10) , 

x 9 mod 11 has the cycle representation (0) (1) (2 6) (8 7) (3 4) (5 9) (10) . 

x , ac 3 mocl 11, ac 9 mod 11, and ac 7 mod 11 form the cyclic group C 4 of order 4. 

Case p = 31: 

x‘ mod 31 has the cycle representation A of order 4 

(0) (1) (5) (25) ( 9 10 20 18) (17 12 24 3) ( 2 4 16 8) 

(6) (26) (14 19 7 28) (22 21 11 13) (15 23 29 27) (30) 
x 11 mod 31 has the cycle representation B of order 2 

(0) (1) ( 5 25) ( 9 14) (10 19) (17 22) (12 21) ( 2) (16) ( 4) ( 8) 

( 6 26) (20 7) (18 28) (24 11) ( 3 13) (15) (29) (23) (27) (30) 

x 17 mod 31 has the cycle representation AB of order 4 
(0) (1) ( 5 25) (14 10 7 18) (22 12 11 3) ( 2 4 16 8) 

( 6 26) ( 9 19 20 28) (17 21 24 13) (15 23 29 27) (30) 
x 19 mod 31 has the cycle representation A 2 of order 2 

(0) (1) (5) (25) ( 9 20) (10 18) (17 24) (12 3) ( 2 16) ( 4 8) 

(6) (26) (14 7) (19 28) (22 11) (21 13) (15 29) (23 27) (30) 
x 29 mod 31 has the cycle representation A 2 B of order 2 

(0) (1) ( 5 25) ( 9 7) (10 28) (17 11) (12 13) ( 2 16) ( 4 8) 

( 6 26) (14 20) (19 18) (22 24) (21 3) (15 29) (23 27) (30) 

x‘ mod 31 and x 11 mod 31 generate the group C4 x C 2 of order 8 . 
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Case p = 23: x 7 mod 23 has the cycle representation 

(0) (1) (2 13 9 4 8 12 16 18 6 3) (5 17 20 21 10 14 19 15 11 7) (22) 
and generates the cyclic group Cio of order 10 . 

Generally, for given odd prime p, the set {Ph : h regular w. r. t. p — 1} forms 
an Abelian (commutative) group A4 p _i, depending on p. Polyalphabetic 
encryption with this group as key group is possible. The group is of order 
• ? '~ 11 — 1, if is prime. A prime p such that p' = ' 11 is also a prime, 

is called a safe (or ‘strong’) prime (Bob and G. R. Blakely 1978): p' is then 
called a Sophie Germain prime. 

Safe primes are 5 , 7, 11, 23, 47, 59, 83, 107, 167, 179, 227, 263, 347, 
359, 383, 467, 479, 503, 563, 587, 719, 839, 863, 887, 983, 1019, 1187, 
1283, 1307, 1319, 1367, 1439, 1487, ... ; but there are also big ones like 
45-2 3 ' — 1 and 10 lo ° — 166517. Apart from 5 and 7, all safe primes are of 
the form 12a — 1. 

Ph{x) has the trivial fixpoint x = 0 and the two normal fixpoints x = 1, 
x = p — 1, besides possibly other ones. The powers Ph{x), Pf(:v) may be 
obtained as products of repeated squares; a binary representation of h and 
h! indicates how this is to be done. 

Forp=ll, since 3io = H 2 and 7io = III 2 ; 9io = IOOI 2 : 

P?,{x) = x • x 2 , Pr{x) = x • x 2 ■ (x 2 ) 2 , P 9 (a:) = x ■ ((x 2 ) 2 ) 2 , 

where . • . indicates multiplication and . 2 squaring, each time modulo 11. 
In fact, for ?r-bit numbers, with 2 n < p < 2 n+1 , raising to a power modulo p 
takes roughly the same effort as n multiplications do. With the present 
tendency to displace encryption steps into microprocessor chips, arithmetical 
methods will become more and more important in the future. 

Especially for primes of the form p = 2 2 + 1 (Fermat primes) one arrives 
at the problem of reciprocal pairs modulo 2 2 ; special solutions exist. 

For non-prime q , the situation is more complicated. The special case where q 
is a product of two (different) primes, q = p'-p" , will be treated in Sect. 10.3. 

9.5.3 Two-way communication. Since h and h' in Sects. 9.5.1 and 
9.5.2 are interchangeable, in the mutual communication of two partners A 
and B the one can use h both for encryption and decryption and the other 
h' likewise both for decryption and encryption (Sect. 2.6.2). 

9.5.4 Pliny Earle Chase. A harbinger for these arithmetical methods 
was Pliny Earle Chase; in 1859 he described in the newly founded Mathe¬ 
matical Monthly the following method: After some bipartite injective sub¬ 
stitution V —> W 2 with W = Z 10 , one forms a number x , as Mirabeau 
did (Sect. 9.4.4), from the first figures and another one y from the second 
figures. Then one performs simple arithmetical operations, like multiplying 
x by seven and y by nine, and finally retranslates the result into V . This 
simple system offered more security than many customary schemes, although 
it did not find practical use. 
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9.6 DES and IDEA® 

The Data Encryption Standard (DES) algorithm was promulgated in 1977 by 
the National Bureau of Standards (NBS) in the USA for use with “unclassi¬ 
fied computer data.” 5 The DES method is a block encryption for octograms 
of bytes. A sequence of fixed transpositions and key-dependent, multipartite, 
non-linear substitutions produces a thorough amalgamation. DES is a tomo¬ 
graphic method; this can be seen best from the original proposal LUCIFER 
by Horst Feistel, an employee of IBM (Fig. 90). Quite obviously, the impres¬ 
sion is given that Shannon (Sect. 9.4.3) is the godfather. The key has eight 
bytes, but in fact this includes eight parity bits, there are only 56 genuine 
key bits. A short effective key length was desirable for the NSA. 

9.6.1 The DES Algorithm. We give only a sketch of the method; for 
details the official source 5 may be consulted. 

9.6.1.1 Encryption. The principal construction of the DES encryption step 
is shown in Figure 91: The 8-byte plaintext block is first subjected to a (key- 
independent) initial transposition T and subsequently split into two 4-byte 
blocks L 0 and R 0 . Next are 16 rounds (i = 1,2,3,..., 16) with 

hj — Ri— i and R[ — A _ [ © f ( R, _ i. A",) . 

The symbol © is used for addition modulo 2 . Aj is a 48-bit key, generated 
via a selection function by the given key. The final transposition T -1 , inverse 
to T , ends the DES encryption step. 

The function / is the central part of the algorithm (Fig. 92). The 32-bit 
block Ri_ i is expanded into a 48-bit block U(i?,_i) by duplication of 
certain bit positions and added modulo 2 to A'j. The resulting 48-bit block 
is split into eight 6-bit groups, serving as input for each one of the eight 
substitution modules Si , £2 ... S$ (‘S-boxes’). Each of these modules imple¬ 
ments four different nonlinear substitutions. The following table shows these 
substitutions for S 1 . 

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 

0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 

Si: 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 

2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 

3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 

Bit 1 and bit 6 of the 6-bit group, interpreted as a binary number, determine 
the row (and thus a substitution), bits 2 to 5 the column. For the input 

5 Federal Information Processing Standards Publication 46, National Technical Informa¬ 
tion Service, Springfield, VA, April 1977. Federal Register, March 17, 1975 and August 1, 
1975. For the presentation of background information (from the point of view of N.B.S.) 
see Smid M.E., Branstad D.K.: The Data Encryption Standard: Past and Future, 
Proceedings of the IEEE, Vol. 76, No. 5, May 1988 . 
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110010 (row 2, column 9 in the table) the module Si issues the bit group 
1100 . The eight Tbit output blocks of the substitution modules Si , S 2 ... Sg 
are concatenated and subjected to a fixed final transposition P (‘P-box’). 

There remains the question of the derivation of the subkeys. First, the parity 
bits of the key specified by the user are removed, then the remaining 56 bits 
are transposed according to a fixed prescription and split into two 28-bit 
blocks. These blocks are cyclically shifted to the left in each round by one 
or more positions—depending on the index of the round. From the two of 
them, according to some specified rule, a 48-bit subkey {Kf) is generated. 








9.6 DES and IDEA 187 


Fig. 92. 

The function / 



9.6.1.2 Decryption. For decryption the same algorithm is applied, now 
using the subkeys (Ki) in reverse order. The algorithm is essentially key- 
symmetric: the same key is used for encryption and decryption. The rounds 
of the encryption can be described by the self-reciprocal mappings 

L) i— >(R, L®f(R, Ki)) (processing) , 

g : (R, L) i —> (L , R) (swapping) . 

g is obviously a reflection, which for hi follows from the identity 

L ® f(R , Ki) © f(R, Ki) = L . 

While the entire encryption is described by 

DES = T _1 o hie o g o hi^ o g o ... o h 2 o g o h\ o T 

(in the last round are no swaps), the order of the subkeys is simply reversed 
for decryption: 

DES~ X = T^ 1 o hi o g o h 2 o g o ... o/i 15 ojo/i 16 oT . 

Since all the mappings are self-reciprocal, composition of DES and DES~ l 
yields identity. 
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9.6.2 Avalanche Effect. It turns out that after a few rounds each bit of 
the intermediate result depends on each bit of the plaintext and of the key. 
Minimal changes in the plaintext or in the key have the expected effect that 
about 50% of the bits change (“avalanche effect”). 

9.6.3 Modes of Operation for DES. For a plaintext of more than eight 
bytes, block encryption means dividing the plaintext into 8 -byte blocks. In 
some applications—e.g., if information becomes available step by step and is 
to be transmitted without delay—plaintext can be shorter than eight bytes. 
For both cases, a variety of modes of operation is conceivable, with differences 
with respect to speed of encryption and error propagation. In the end, the 
intended application will decide which mode is preferable. 

The National Institute of Standards and Technology (NIST, formerly the 
NBS) has standardized four different modes of operation for use in the USA 
two for each of the principal applications mentioned above . 6 

The ECB mode (Electronic Code Book) treats all 8 -byte blocks indepen¬ 
dently. Identical plaintext blocks result in identical cryptotext blocks. This 
mode with its strictly monoalphabetic use of the DES algorithm should be 
avoided as far as possible. 

The CBC mode (Cipher Block Chaining) depends on the encryptment’s his¬ 
tory. The starting point is an initialization block cq (session key ) to be 
agreed among the partners. 

Encryption of the plaintext blocks mi, m 2 , m 3 , ... results in the following 
cryptotext blocks , C 2 , C 3 , ... with 

ci = DES{m\ ® Co) C 2 = DES(ni 2 ® ci) C 3 = DES{m^® C 2 ) ■ 

Decryption is performed by 

mi = DES~\c\)®cq m 2 = DES~\c 2 )®c\ m 3 = DES~\cf)®C2 . 

The encryption method is now polyalphabetic, but with rather regular con¬ 
struction of the alphabets, in fact it is an autokey method with a priming 
key, protected only by the non-linearity of the barrier DES. 

Apart from these stream-oriented direct encryptions are modes of operation 
using the DES algorithm for the generation of pseudorandom keytext. 

The CFB (Cipher Feedback) mode offers a choice of a 1-bit, 8 -bit, 16-bit, 
32-bit, or 64-bit output for subsequent use with another encryption method. 
The OFB (Output Feedback) mode has internal feedback, the feedback mech¬ 
anism being independent of both the plaintext and the cryptotext stream. It 
is normally used to produce an 8 -byte (64-bit) output. It has found applica¬ 
tion in connection with authentication. 


DES Modes of Operation, National Bureau of Standards (US), Federal Information Pro¬ 
cessing Standards Publication 81, National Technical Information Service, Springfield, 
VA, December 1980. 
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9.6.4 Security of DES. Since the very first publications about the envis¬ 
aged and later on the agreed-upon standard DES there were discussions and 
criticism. The number of internal rounds, 16, was considered to be rather 
low. The main points of attack were and still are: 

• The design criteria of the S-boxes have not been disclosed— first not at 
all, later rather vaguely; however, they were finally published by Don 
Coppersmith in the 1990s. These barriers, essential for security, could 
contain ‘trapdoors’, making unauthorized decryption easy (or at least 
easier). 

• The key length is relatively small. There are only Z = 2 56 « 72 • 10 15 
different keys possible (for the original LUCIFER design—and this com¬ 
parison is certainly appropriate—the number of keys was much larger, 
at 2 128 « 340 • 10 36 ). 

• In the ECB mode, the key is kept fixed for quite a while; this mono- 
alphabetic use allows classical attacks (‘building a depth’, Sect. 19.1). 

On the other hand, DES is a rather fast encryption algorithm. A larger key 
length, many more rounds and other things would have slowed down the chip. 
The worldwide acceptance of DES as a de facto standard justifies to some 
extent the design. 

But in part this discussion was conducted against a background of deep 
mistrust: The American National Standards Institute was suspected (and 
even privily accused) of acting as the long arm of the National Security 
Agency, which was supposed to have an interest in breaking encryptions. 
Official announcements were not helpful in reducing suspicion. 

Even today no trapdoors are (publicly) known. But there is also no proof 
of their nonexistence. Certain surprising properties of the DES algorithm 
have been found, like a symmetry under complementation: If both plaintext 
and key are complemented, the resulting cryptotext is complemented, too. 
There could be other symmetries undiscovered so far. A residue of distrust 
has remained. In fact, it is to be hoped that with massive support by faster 
and faster machines DES can be broken by state authorities, if the national 
security of the USA makes it necessary. Private initiative should not be and 
most likely is not able to solve DES. 

Given that DES lacks security—in particular with the ECB mode, which 
has long been disadvocatecl but is still used, even commercially, by mediocre 
vendors—the remedy may be multiple DES encryption with independent 
keys. But there is the danger of an illusory complication. 

An upper limit for the effort to break a method is the brute force attack. It 
should be kept in mind that DES is available for unlimited tests and thus sus¬ 
ceptible to this attack. In 1990, Eli Biham and Adi Shamir found a cryptana- 
lytic countermeasure for attacking amalgamation methods, using some small 
variations of the plaintext (‘differential cryptanalysis’). For DES, it turns 
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out that the brute force attack can indeed be shortened -from 2 56 tests with 
full exhaustion to 2 47 . Some years later Mitsuru Matsui even found a way 
(‘linear cryptanalysis’) allowing a reduction of the effort to 2 43 tests. This is 
only theoretically interesting— but tempting. In the meantime, Donald Cop¬ 
persmith has disclosed that as early as 1974 the designers of DES tried their 
best to prevent such an attack.' The break was finally accomplished with the 
appearence of faster and cheaper chips. 

Since about 1980, special chips for DES have been on the market. In the 
first half of the 1990s, they encrypted and decrypted at 10-20 Mbits/sec. 
Figure 93 shows a chip from the early times (1979). 

The DES method has become the worldwide leader on the market (irre¬ 
spective of American export limitations). It is used by banks for electronic 
cash transfer, it protects civil satellite communications and UNIX passwords. 
Whether successors of DES will be equally successful remains to be seen. 



9.6.5 Successors for DES. Export is free for the 40-bit algorithms RC2 
and RC4 of RSA Data Security, Inc., which came on the market in 1993. 
“If you get permission from the USA [for a license to export an encryption 
algorithm] that probably means it’s too easy to decrypt” (Ralph Spencer 
Poore). The widespread opinion (Otto Horak, in 1996: “DES is nearing the 
end of its credibility”) that the 56-bit DES, intended only for a decade, is 
to be replaced soon—after all, it can be assumed that in the 20 years from 
1977 to 1997 the maximal attainable speed has increased by a factor around 
2 10 -was supported in 1998 by a successful brute force break of exhaustive na¬ 
ture. As a consequence, the NIST (National Institute of Standards and Tech¬ 
nology) concluded that it could no longer support the use of DES for many ap¬ 
plications, and recommended in February 1999 an interim ‘Triple-DES’ (FIPS 
46-3) with 168 bits (that however trebles the time need for encryption or de¬ 
cryption) for a few more years, until the new Advanced Encryption Standard 
(AES), with key lengths of 128, 192 or 256 bits, was finalized as a Federal 


7 Details are given by Susan Landau, Notices AMS Vol. 47, p. 341 and p. 450 . 
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Information Processing Standard. In the end, the proposal RIJNDAEL, by 
Joan Daemen and Vincent Rijmen, was selected on October 2, 2000 and 
became valid on May 26, 2002. Meantime, doubts have been expressed. 

Compared to DES, an essential improvement was offered by the SKIPJACK 
algorithm with an 80-bit key, working in 32 rounds, which is likewise key- 
symmetric. Starting from the observation that with a special computer for 
$ 100 000 in 1993 exhaustion of the key set of DES would have needed 8 3.5 h, 
for SKIPJACK, this would be reached within 3.5 h only in 2029, in 1993 
it would need 26.2 • 2 20 years, in 2005 still 6.55 • 2 10 years, and in 2017 
1.64 years—and this for the simple exhaustive (‘brute force’) attack; every 
professional decryptor would find ways and means to do it faster. 

Alas! Under US law, SKIPJACK, which can be obtained as a tamper- 
resistant chip (MYK-78 in the Clipper system) programmed by Mykotronx, 
Torrence, CA, USA, with a throughput up to 20 Mbits/sec and for a price 
of some $ 10, was until June 1998 classified and not obtainable as software. 
This meant, of course, that its applicability within computer networks and 
webs was very restricted, not to speak of political considerations regarding 
commerce and civil rights. The role of a de facto standard that DES has 
acquired is unlikely to be achieved by SKIPJACK even after declassification. 
Europe, commonly more liberal than the USA, does not bind itself to the 
action of the US government. Among the various unsponsored attempts to 
create a successor to DES maybe the most promising is IDEA® ( Interna¬ 
tional Data Encryption Algorithm ), developed by J.L. Massey and others 
since 1990, patented and registered by the Swiss Ascom Tech AG, Solothurn. 
IDEA has been sold since 1993 as VLSI chip and as software without known 
commercial restrictions. With a key space of 128 bits, IDEA will measure up 
for the next century to a brute force attack, although for other cryptanalytic 
methods, particularly those taking advantage of the enemy’s encryption er¬ 
rors, it is just as vulnerable as SKIPJACK and DES. All these encryption 
algorithms work with 8-byte plaintext blocks. 

Sometimes, however, not all existing bits are used cryptologically. Thus, it 
turned out in early 1998 that in a 64-bits key used worldwide for protection 
of access to GSM mobile telephones (Dl, D2, E-plus) the last ten bits were 
constantly set to O. Consequently, a brute force attack is shortened by a 
factor 1000 and reaches into the hours-till-days region. 

9.6.6 Cryptosystems and cryptochips. A lot of excitement was caused 
by a cryptosystem which was distributed in mid-1991, a software system 
called PGP (‘Pretty Good Privacy’, jokingly also called ‘Pretty Good Piracy’). 
As well as encryption and decryption algorithms (IDEA, more recently also 
TripleDES and others), PGP contains means for secure key negotiation and 
for authentication (Sect. 10.5). PGP has grown within a surprisingly short 


According to M. J. Wiener, Efficient DES Key Search. CRYPTO ’93, Santa Barbara, 
CA, Aug. 22-26, 1993. 
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time into a de facto standard for e-mail on the Internet. PGP escaped its 
originator, Philip R. Zimmermann and slipped through the meshes of US law, 
very much to the dismay of the NS A, but also very much to the malicious 
glee of an anarchic worldwide cypherpunk movement. In January 1996, the 
US government dropped its prosecution of Zimmermann. Meanwhile, PGP 
software has been marketed in the USA for something like $100. 

Anyway, national laws can not find great attention in an open world, An 
example was given in March 1998 by Netscape with the release of its WWW 
Software Communicator “mozilla” in source code. In order to obey the US 
export laws ( International Traffic in Arms Regulations, ITAR), the secure 
sockets layer (SSL), which allows secure data exchange, was withheld. Within 
a couple of days an Australian source made “cryptozilla” openly available, a 
version of the Netscape Communicator equipped with 128-bit-algorithms for 
encryption. 

Anyhow, a weakness is key negotiation, in general the weakest part of all 
existing cryptosystems. This was a lesson the Polish cryptanalysts taught the 
Germans. Once key negotiation is broken, the whole encryption algorithm is 
worthless. 

Meanwhile, microprocessor chips are becoming more and more powerful. A 
recent (1996) general purpose 64-bit processor chip codenamed Alpha-AXP 
(21164), made by Digital Equipment Corporation, works with a pulse fre¬ 
quency of 300 MHz, comprises 9.3 million transistors and processes 1.2 • 10 9 
instructions per second. Initially, it was manufactured in 0.5 p technology, i.e., 
the electrical connections have a width of 0.0005 mm. Step by step the pulse 
frequency was increased; in 1999 for the successor Alpha 212 64 to about 600 
MHz, using a 0.35/z technology. In 2000, DEC announced pulse frequencies 
higher than 1.0 GHz and was then aiming at 0.25/i and 0.18/z technology. By 
mid-2003, the Intel Pentium4 with 3.2 GHz was going for $637 on the market. 
Microprocessors are widely used nowadays in servers, desktop, and laptop 
computers and are frequently connected into networks, and thus more and 
more the need to protect their data cryptologically is felt. Crypto AG, Zug 
(Switzerland) offered in 1996 a crypto board for stand-alone or networked 
desktop PCs and notebooks, which provided user identification and access 
control, encryption of hard disks, floppy disks, directories, and files at a 
rate of at least 38 Mbits/sec. It had its own tamper-proof key carrier and 
password storage and worked with individually generated pseudorandom keys 
in a symmetric block cipher algorithm. The key management used a multi¬ 
level key hierarchy. Master keys, data encryption keys, file keys and disk keys 
had a key variety of 2 124 = 2 x 10 37 . With dimensions 85 mm by 54mm and 
only 3.3 mm thick, the crypto board, as shown in Plate P, is geometrically 
extremely small. Nevertheless, if it is used properly, it can be expected 
to withstand the efforts of the largest supercomputer for quite some time. 
‘Strong’ cryptography, which is unbreakable for a long while, is possible and 
is worthwhile; thus, it is going win. 
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Open Encryption Key Systems 


The polyalphabetic encryption methods discussed so far use a key for encryp¬ 
tion and a key for decryption. Cryptosystems with self-reciprocal encryption 
steps use the same key for both, of course. Otherwise, there are two possi¬ 
bilities: 

(1) There is only one key. The same key character has its particular meaning 
for encryption and for decryption. This is the case for DES (Sect. 9.6.1). 
Using crypto machines, this requires a switch that allows a choice between 
encryption mode and decryption mode. 

(2) There are two different keys, the encryption key and the decryption key. 

The crypto machine needs only one mode, but the derivation of the decryption 
key from the encryption key needs extra effort. 

This can be illustrated with a classical VIGENERE method: Case (1) uses 
for encryption E and decryption D 

E = {Xk } } ■ X kj (x) = x + kj mod N n 

D = {Xfe/} : Xfc/O) = x- kj mod N n 

while case (2) uses for decryption 

D = {Xfe/} : Xk'(x) =x+ (-kj) mod N n 

i.e., Xfe/ = X (fe .)-i where (kj)- 1 = -kj. 

The derivation of (kj) 1 from (kj) is simple enough in this example, and 
since (kj) , the decryption key, is to be kept secret, (kj) , the encryption 
key, is to be kept secret as well. But if it were as difficult to derive (kj)~ 
from (kj) as to break the cryptotext with any other means, the encryption 
key (kj) could be made public. If so, we would have an open encryption key 
system. Surprisingly, such cryptosystems exist. 

The question is: does such an open encryption key system (public key system 
for short) offer advantages ? And if so, why was such a simple idea presented 
so late—the mid-1970s—in the long history of cryptology? The answer is that 
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the use of cryptographic methods in commercial networks has characteristics 
that were missing in the classical two-partner situation. In fact, there are 
indeed advantages in the case of a many-partner key net, as well as advantages 
if authentication is given equal or even more weight than secrecy, a situation 
that exists in modern global financial transactions. 

10.1 Symmetric and Asymmetric Encryption Methods 

10.1.1 Symmetric Methods (Private Key Methods). The key agreed 
upon by two partners determines in classical cryptosystems both the encryp¬ 
tion step and the decryption step in a simple way, which is symmetric in the 
sense that both times essentially the same effort is needed. Moreover, usually 
the two partners are at different times both sender and receiver, and in cases 
where encryption and decryption commute (Sects. 2.6.2, 9.5.3), each needs 
just one, his or her private key. 

These symmetric, private key methods did not cease to exist with the ad¬ 
vent of the electronic age, say around 1950. The DES method, discussed in 
Sect. 9.6, the best known example of modern block encryption, is in this class; 
there is—case (1) above—only one key, and encryption and decryption differ 
only with respect to the order in which the rounds generated from the key 
are applied. Encryption and decryption is fast: in 1995, about 20 Mbits/s. 

Thus, cryptanalytic security depends on the secrecy of this key. Furthermore, 
if the user hopes that the would-be unauthorized decryptor even with knowl¬ 
edge of the method class will never find this key, it goes almost without saying 
that under real conditions nobody would be able to encrypt a fake message 
such that the recipient could decrypt it without becoming suspicious. Then, 
authentication is not a problem, and it is guaranteed if and only if secrecy is 
guaranteed (but see Sect. 10.5). 

However, there are certain disadvantages: 

(1) It is impossible for the sender of a message to prove to his partner or a 
third person that he has sent a particular message. This lack of judicial 
protection is a handicap for the transmission of orders and for financial 
transactions. 

(2) The keys have to be communicated or negotiated on a channel whose 
cryptanalytic security is much higher than the security of the channel 
used for normal transmissions. Spontaneous secure communication may 
not be possible. 

(3) With a large number of partners wanting secure communication, the 
number of two-way channels and therefore the number of keys becomes 
quite large. For a key net with n partners, each one wanting to exchange 
messages safely with everyone, ( 2 ) = n ■ (n — l)/2 self-reciprocal keys 
or n ■ (n — 1) symmetric keys are necessary. For n = 1000, the numbers 
are 499 500 and 999 000. 
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10.1.2 Asymmetric Methods (Public Key Methods). Dispensing with 
the symmetry of the cryptosystem, the decryption key, of course, is to be 
protected; but asymmetry may go so far that the encryption key is not only 
unprotected but even published (public key). On a two-way channel with 
partners A and B , there are now four keys: an open encryption key for B 
and a corresponding private decryption key for A , an open encryption key 
for A and a corresponding private decryption key for B . This is twice the 
number before. But A may now receive messages from many other partners, 
all knowing for their encryption the public key of A and trusting that only 
the authorized receiver A can decrypt it. Thus, each partner has an open 
(public) key and a private key, and the total number of keys for a key net of 
1000 partners drops from nearly a million to two thousand. 

This eliminates the disadvantage (3) above. As for (1), the solution will be 
taken up below and in Sect. 10.5 . And the problem under (2) disappears, for 
a published key does not have to be negotiated; whenever a partner A decides 
to open a communication channel with B , he may do so after consulting the 
directory with the keys of all participants. 

The concept of an open encryption key system was published in 1976 by 
Whitfield Diffie and Martin E. Heilman. 1 For its origin, see Sect. 8.9.2 . 

10.1.3 Encryption and Signature Methods. Let AT) denote the public 
key of the i-th partner and KCi his private key. AT) determines an encryp¬ 
tion Ei and KCi determines a decryption Di . Both A, and Aj have 
effective implementations, but {AT)} is a public directory and KCi is only 
known to the i-tli partner. For all partners, it is impossible (or, practically 
speaking, intractable) to derive KCi from AT). 

If Ei and Di fulfill the property 
(*) Di(Ei(x))=x, 

we speak of an (asymmetric) encryption method serving secrecy. 

If moreover A,; and A; fulfill the property 
(**) Ei(Di(x))=x, 

we speak of an (asymmetric) signature method serving authentication. 

The asymmetric encryption method works as follows: If partner A wants to 
send an encrypted message m to B , he takes from the directory under the 
heading B the key ATg (this determines Ag): 

(A) c = Ag (m) 

and sends the cryptotext c over the public channel to B . 

B uses his private key ACg (which determines Ag) to recover the message m 
(A) Ag(c) = Ag(Ag(m)) = m (because of (*) ) 


1 New Directions in Cryptography , IEEE Transactions on Information Theory, IT-22, 
Vol. 6, pp. 644-654 (i976). 
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The asymmetric encryption and signature method works as follows: If partner 
A wants to send an encrypted message to signed with his signature “A” to B , 
he first encrypts to with his private key KC A (this determines Dj. i): 

(Al) d = Da (to) , 

and joins to d his signature “A” . Next he takes from the directory under the 
heading B the key KP& (this determines Eg) and encrypts the pair (“A” ,d)'■ 

(A2) e = -Eg(“A”, d) = Eb (“A”, D A (m)) . 

A sends the cryptotext e over the public channel to B. 

B uses his private key KC'b (which determines Db ) to recover the pair: 

(El) Eg(e) = Eg (Eg (“A”, d)) = (“A”, d) (because of (*) ) . 

B recognizes from the part “A”, that A is the sender. B now uses the public 
key KP a of A (which determines E, 4 ) to recover from d the message to : 

(E2) E A {d) = E A (Dj{(in)) = to (because of (**) ) . 

By obtaining meaningful text, B is assured that he did get the message from A 
since no other partner could have encrypted it with D A ■ 

10.2 One-Way Functions 

The whole success of asymmetric open encryption key systems rests on the 
question: How can it be accomplished that Ej, i.e., E^ 1 , cannot be easily 
obtained from Ej, that breaking the encryption is practically intractable? 

10.2.1 Strict One-Way Functions. An injective function / : X —» Y 
is called a strict one-way function if the following holds: 

There is an efficient 2 method to compute f(x) for all x £ X , but there is 
no efficient method to compute x from the relation y= f(x) for all y € f[X]. 

Arto Salomaa has given a striking example of a one-way function. An encryp¬ 
tion with homophonic encryption steps Z 26 -p Zj 0 is defined as follows: 

For a letter X, some name commencing with this letter X is looked up in 
the telephone directory of a large city Z, and a 7-digit telephone number 


listed under this name is the cryptotext 
/kindergarten/, the steps are 


To be concrete: for 

encrypting 

k 

p-p Koch 

p^ 8202310 

i 

p-p Ivanisevic 

p-p8119896 

n 

P- v- Nadler 

p^ 6926286 

d 

p^ Dicklberger 

p-p5702035 

e 

p-p Esau 

p^ 8348578 

r 

p-p Remy 

p-p7256575 

g 

p-p Geith 

p^ 2730661 

a 

p-p Aranyi-Gabor 

p-p2603760 

r 

p^ Rexroth 

p^ 5328563 

t 

p-p Tecins 

p^6703008 

e 

p-p Eisenhauer 

p^ 7913174 

n 

p-p Neunzig 

p-p3002123 


2 Efficient: With a computational effort which is polynomial (‘P’) in log |.Y| . If P = NP 
(‘NP’: non-polynomial) would hold, no strict one-way function could exist at all. 
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The following encryption of /kindergarten/ , a sequence of 12 7-digit code¬ 
groups: 

8202310 8119896 6926286 5702035 8348578 7256575 2730661 2603760 
5328563 6703008 7913174 3002123 

is obtained by a human operator in less than one minute of time. The de¬ 
cryption is unique, but needs hours and hours if done manually with the help 
of a telephone directory of about 2000 pages. A one-way function poses as an 
encryption for the authorized decryptor quite unsurmountable difficulties. 

Thus, strict one-way functions cannot be used in a reasonable way for en¬ 
cryption of messages followed up by decryption. However, strict one-way 
functions without homophones can be used for identification and authentica¬ 
tion: A password is encrypted by a strict one-way function and is stored in 
this form. Any time access is required the password presented is encrypted, 
too, and the cryptotexts are compared. This scheme is applied in the widely 
used operating system UNIX 3 , but based only on a variant of the DES algo¬ 
rithm which does not qualify as a strict one-way function. 

However, it is possible that the legal user of this system is in the possession 
of an inverse telephone directory—either obtained illegally from the post 
office or purchased. Such a directory makes the decryption process as simple 
as encryption is. It is a hidden suspension of the one-way direction like a 
trapdoor: an unsuspecting person cannot go back once he or she has passed 
through, but the initiated person knows where to find the hidden knob. 

10.2.2 Trapdoor One-Way Functions. For data security, which is 
essentially the domain of cryptology, trapdoor one-way functions are needed, 
allowing data access by decryption for the authorized user. 

An injective function / : X ->- Y is called a trapdoor one-way function if 

the following holds: 

There is an efficient method to compute f(x) for all x £ X . 

There is an efficient method to compute f~ 1 (y ) for all y £ f[X] , but it 
cannot be derived efficiently from the relation y = f(x) for all y £ f[X]: 
secret additional information, the trapdoor, is necessary. 

The trapdoor in Salomaa’s example is the inverse directory. It can be es¬ 
tablished legally by the user who can afford the time to do so, if he needs it 
frequently (or if he can sell it), and if storage complexity does not preclude it. 
This sort of preprocessing is one of the best strategies to break asymmetric 
encryption systems, since they are normally used for some time. 

10.2.3 The Efficiency Boundary, Function inversion breaks down for 
one-way functions only because of lack of time and storage space, i.e., because 
of time and storage complexity. Technological progress shifts the border line 
between ‘intractable’ and ‘efficient’; at present roughly every two years the 


3 UNIX is a registered trademark. 
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speed of the fastest single computer is doubled and roughly every 15 months 
computer costs are halved. This latter trend allows increasing parallelization. 
The cryptologist counteracts this technological progress by suitably increas¬ 
ing some of the encryption parameters, those that influence the encryption in 
a sensitive way, and thus he prevents cryptanalysts surmounting the barrier. 
To give an example: for some methods, the inversion of a one-way function 
amounts to the decomposition of a number n into its prime factors, a huge 
task compared with the multiplication of the factors to form the number n. 
One of the fastest known algorithms, the ‘Quadratic Sieve’, 4 has ‘subexpo¬ 
nential complexity’, i.e., needs asymptotically of the order of magnitude 

^^/ln n-ln(ln n ) ^y/ln(ln n)/ Inn 

operations. For n=10 7 °, the exponent ydn (In n )/In n has the value ss 0.178 , 

correspondingly n V ln ( lnn )/ ln ” _ 2.69-10 12 . The observation that in 1984 the 
factorization of (10 71 —1)/9 needed 9.5 h on a CRAY X-MP may serve for 
calibration; this amounts to roughly 80 • 10 6 ‘macro-computing steps’ per 
second, and gives by extrapolation the following picture (assuming every two 
years a doubling of the maximal attainable speed of a single computer): 


n 

bits 

g-y/ln n-ln(ln n) 

Time 1984 

Time 1994 

Time 2004 

10.5° 

166 

1.42 • 10 10 

181 s 

5.66 s 

177 ms 

10 7 ° 

232 

2.69 • 10 12 

9.5 h 

0.297 h 

33.4 s 

io 100 

332 

2.34 • 10 15 

344 d 

10.75 d 

8.06 h 

10 12 ° 

399 

1.31 • 10 17 

52.57 a 

600 cl 

18.75 cl 

10 14 ° 

465 

5.49 • 10 18 

2.2 • 10 3 a 

68.75 a 

785 d 

10 155 

512 

6.69 • 10 19 

2.7-10 4 a 

844 a 

26.4 a 

IO 200 

664 

1.20 • 10 23 

4.8 • 10 7 a 

1.5-10 6 a 

4.7 • 10 4 a 


The efficiency boundary is indicated by the ‘yearlong’ work of several hundred 
days. It has moved from (in 1984) n = 10 1 ' 00 ss2 332 to n=10 12 °«2 399 (in 
1994) and is expected in 2004 to be n=10 14o «2 465 , not far from 2 512 . 

A sensation was stirred in 1994 when a 129 decimal digits number (429 bits) 
was factored into its two prime factors of 65 decimal digits each. According to 
the extrapolation above a single supercomputer would have needed 3330 days. 
In fact, the total work was distributed on 1600 (less powerful) computers 
connected by the Internet and was finished in 8 months time. In 1999, a num¬ 
ber with 465 bits was factorized. Starting around the year 2004, numbers with 
512 binary digits will no longer give sufficient security against factorization. 
More and more special computers with a high degree of parallelization are 
coming into use. Whatever efforts in this way are made, there are limits 


4 Based on early work by M. Kraitchik, improved by C. Pomerance (1985), P. Montgomery 
(1987), R. D. Silverman (1987). The fastest version of this algorithm is called ‘Double 
Large Prime Variation of the Multiple Polynomial Quadratic Sieve’ (ppmpqs). Neither it 
nor the even better ‘Number Field Sieve’ method by John Pollard (1988), asymptotically 
needing a number of steps of order e(( ln ' (ln(ln n)) 2 / 3 ) _ n (ln(lnn)/In n) 2 / 3 , are 
‘efficient’ in the sense of 10.2.1. 
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to the mastery of storage and time complexity which cannot be surpassed 
for reasons of physics. For example, according to our present knowledge a 
10 6O -bit store would need the mass of our entire solar system, likewise 10'° 
operations would take more time than has elapsed since the birth of the 
known universe in the Big Bang, some 10 18 sec ago, even if each operation 
took no longer than 10~ 43 sec, the Planck time, the shortest time interval 
that is meaningful in terms of known physics. 

But these large numbers can be deceptive. There is no proof of the nonexis¬ 
tence of an algorithm much faster than the Quadratic Sieve or other roughly 
comparable ones. It could happen that prime factorization of n can be done 
within a time increasing with a low polynomial in n. However, it is not likely. 
As is frequently said, people have been investigating factorization for more 
than two thousand years. Generally, the non-existence of other trapdoors 
than the ones already known is hard to prove. And complexity theory in its 
present state is little help, for it usually gives only upper bounds for the effort 
needed. “There are no provable lower bounds for the amount of work of a 
cryptanalyst analyzing a public-key cryptosystem” (Salomaa 1990). A newly 
found trapdoor could endanger the security of a cryptosystem as much as a 
direct decryption attack, bypassing the function inversion altogether. This 
is a principal risk of asymmetric methods and such a big disadvantage that 
their use in highly sensitive areas is rather questionable. 

10.2.4 Known Examples of One-Way Functions. A proof for the 
existence of strict one-way functions is hampered by the lack of sufficiently 
good lower bounds for the known methods. But there are good candidates, 
based upon the operations multiplication and exponentiation over the Galois 
field F(p), where p is prime. 

10.2.4.1 A One-Way Function without trapdoor: Multiplication of Primes. 

As Turing remarked in 1937 (Sect. 5.7), it is relatively simple to multiply 
two numbers of ten thousand decimal digits and therefore also two primes of 
this size; on a home computer it takes only seconds. But today there is (see 
Sect. 10.2.3) no efficient method (publicly) known to decompose a 200-digit 
decimal number into its prime factors (apart from special cases). 

Let X = {(x±,X 2 ) | Xi, X 2 prime, K < x\ < X 2 } for a sufficiently large K. 
The injective function 

/ : X —»IN defined by f(x 1 , £ 2 ) = x\ ■ X 2 
is therefore a one-way function. No trapdoors are known. 

10.2.4.2 A One-Way Function without trapdoor: Exponentiation in F(p). 

Let p be prime. For a fixed a the a-exponential function in F (p) 

F a : Z p _ 1 —> Z p \{0} defined by F a (n) = a" mod p 
is for sufficiently large p and a a one-way function (for Z p see Chap. 5). 
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Example: p = 7, 

^\{0} = 

= {1,2,3,4,. 

5,6}, 

a = 2: 



n 

0 

1 2 

3 

4 

5 

6=0 

2" 

1 

2 4 

8 

16 

32 

64 

2" mod 7 

1 

2 4 

1 

2 

4 

1 


The computational effort for F„ is within endurable bounds even for values 
of p and a surpassing lO 200 . The basic idea of repeated squaring and 
multiplying is as in Sect. 9.5.2; it is demonstrated by the following example 
where . • . indicates multiplication and ? squaring, each time modulo p : 

a 25 = ( ^(a 2 • a) 2 ^ j • a , since 25i 0 = 11001 2 . 

The example a = 2, p = 7 shows that the a-exponential function is not 
necessarily injective. If F a is injective over Z p \{0} and thus is a group 
isomorphism of Z p _ 1 and Z p \{0} , then a is called a primitive root of Z p ; 
like a = 3, a = 11 , a = 12 , a = 22 for p = 31: 

3" mod 31 gives a permutation with a (13+9+8) cycle decomposition 
(1 3 27 23 11 13 24 2 9 29 21 15 30) (6 16 28 7 17 22 14 10 25) (4 19 12 8 20 5 26 18) 

11" mod 31 gives a permutation with a (26+3+1) cycle decomposition 
(1 11 24 8 19 22 18 2 28 10 5 6 4 9 23 12 16 20 25 26 7 13 21 27 15 30) (3 29 17) (14) 
12" mod 31 gives a cyclic permutation with the cycle of length 30 
(1 12 20 23 28 26 2 24 9 15 25 21 4 17 18 30 19 11 8 3 5 29 7 22 16 6 10 27 14 13) 
22" mod 31 gives a permutation with a (24+5+1) cycle decomposition 
(1 22 10 5 6 8 28 18 16 9 27 29 24 4 20 25 26 14 7 21 23 3 15 30) (2 19 11 17 12) (13) 

It can be shown that for each prime p there is always at least one primitive 
root. In fact their number is (p{p — 1), others for p = 31 are 21, 17, 13, 24. 
For special p there may be peculiarities. For example, for p = 17,257, 65537 
and all larger primes p (if any) of the form p = 2 2 +1 (Fermat primes), 3 
and 7 are always primitive roots (Albert H. Beiler, Armin Leutbecher). 

If a is indeed a primitive root, F a has an inverse F~^, named the (discrete) 
o-logarithm function or index in Z p \{0} . While the exponentiation in Z p 
is quite efficient, it is hard to get efficient algorithms for the computation of 
the discrete logarithm. 

Among the known algorithms for the discrete logarithm over a multiplicative 
group such as Z p \{0}, even good ones like the ‘Giant-Step-Baby-Step’ algo¬ 
rithm 5 (Daniel Shanks 1971) need an effort proportional 
= y/p = e! lnp and thus are not efficient. 

The better ‘Index Calculus’ method —which requires finding a suitable basis 
of the multiplicative group, usually the first t primes and thus a huge data 

5 For a running program, see Otto Forster, Algorithmische Zahlentheorie , Vieweg, Braun¬ 
schweig 1996. 
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base to be precomputed -works only in special cases, but has still subex¬ 
ponential complexity, i.e., needs an effort of the same order of magnitude 
eV / in P -in(inp) ag p r j me decomposition by the Quadratic Sieve does. 

(Z , +, x) is a field, the Galois field F(p) of characteristic p. More generally, 
consider the Galois field F (p k ), an extension of F(p), and its multiplicative 
group F(p fc )\{0} which is still a cyclic group. It is generated by some element 

k 

x , which is a nontrivial root of the equation x p — x = 0. The elements of 
F(p fe ) are the p k polynomials of degree at most k — 1 over the field F(p) and 
can be implemented as a fc-dimensional vector space. 

Example: p = 2, k = 3, F(2 3 ) = {0, l,x,x+ 1, x 2 , x 2 + 1, x 2 + x, x 2 + x + 1} . 
x 8 — x has an irreducible factor x 3 + x + 1, powers reduced by x 3 i—> x + 1. 

It is only the multiplicative group of F(p fc )\{0} that matters. For k> 1, this 
multiplication is different from that of the modular arithmetic. Thus, we 
finally have the group isomorphism 


F a : Z pfc _ 1 —> F(p fc )\{0} defined by F a (n) = a n in F(p fc ) 

In the example F(2 3 ) with a = x and with a = x+l : 


n 

0 

1 

2 

3 

4 

5 

6 

o 

III 

x n 

1 

X 

X 2 

x 3 

X A 

x 5 

Z 6 

X 7 

X n red. 

1 

X 

X 2 

x+l 

X 2 + X 

x 2 +x+l 

x 2 + l 

1 

n 

0 

1 

2 

3 

4 

5 

6 

o 

III 

(x+l) n 

1 

x+l 

(: X + l ) 2 

(x+l) 3 

(. x+l ) 4 

(x+l) 5 

(x+l) 6 

(x+l) 

(x+l) n red. 

1 

x+l 

x 2 + l 

X 2 

X 2 + X + l 

x 

x 2 +x 

1 


The case p — 2 and k large has particular interest. In 1988 John Pollard 
gave a variant Number Field Sieve (NFS) of the Index Calculus method, 
where primes are to be replaced by irreducible polynomials—the complexity 
being determined by e^ lnp ) / ( lnln P) /3 ). With massive parallel computation, 
preparatory work has been done for such ambitious problems as F(2 503 ) (Don 
Coppersmith 1986, Kevin McCurley 1990, Dan Gordon and McCurley 1993). 

A natural next step in the use of group isomorphisms is made with the elliptic 
curve method (ECM), developed by Neil Koblitz (1985), Victor S. Miller 
(1985), Hendrik W. Lenstra, jr. (1986). It uses the known theory of certain 
algebraic curves of third order (‘elliptic curves’) in the projective plane over 
a finite field K, in particular over F(p fc ). Some algorithms, like the Giant- 
Step-Baby-Step algorithm, can be extended to the point group of an elliptic 
curve. It seems that for the rather good Index Calculus method, finding a 
basis is hopeless in the case of elliptic curves. Thus, the elliptic curve method 
possibly offers greater security for identification and authentication, which 
makes it for the time being an interesting topic of research. Elliptic curves 
over F(2 fc ) (case p = 2) are particularly advantageous, since the arithmetic 
processors for the underlying field are easy to construct and relatively simple 
to implement for large n. 
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No trapdoors are known for the methods considered so far, not even for the 
case F(2 fc ), k > 1. For composite g, F a (n ) = a n mod q has a trapdoor, if 
q is a product of two different primes: the prime factorization of q allows 
the preparation of a table, which with the help of the Chinese Remainder 
Theorem (Sect. 10.4.3) makes calculating the discrete logarithm easier. 

10.2.4.3 A Trapdoor One-Way Function: Raising to a Power modulo q 

In Sect. 9.5.2, raising to a fixed power restricted to the Galois field F(p) was 
discussed. Now q may be composite, 

Ph(x) = x h mod q. 

There still exist suitable pairs (h, h') of fixed numbers from Z ? \{0} such that 

(1) there exists an efficient method to compute Ph{x) for all x £ Z g , 

(2) there exists an efficient method to compute P/ ( (x) for all 

such that Ph>{Ph(x))=x and Ph{Ph’{x)) = x . 

But if only h and q are known and q is large enough, say q > lO 200 , then 
there is no efficient method (publicly) known to compute h! efficiently. 

There is a trapdoor. The derivation of h’ is much easier if q is composite and 
a factorization of q into two factors, both rather large, is known. This will 
be discussed in more detail in Sect. 10.3 . 

10.2.4.4 A Trapdoor One-Way Function: Squaring modulo q = p' ■ p" 

This is the important special case h = 2 of Sect. 10.2.4.3, using ‘quadratic 
residues’, square roots modulo g, for which there is a theory that goes back 
to Legendre and GauB. An application for open encryption key systems was 
studied in 1985 by H. C. Williams. 

We consider first the case q = p, p prime. Table 1 in Sect. 5.5 shows for odd p 
under N = p — 1 no entries for h = 2. P 2 in Sect. 10.2.4.3 is neither injective 
nor surjective. For the equivocal inversion of P 2 we may write \J . To give 
an example, say for p = 17, by inversion of the function table we obtain: 

\/T=±l V2 = ±6 V^=±2 V8 = ±5 

-\/9 = ±3 v / 13 = ±8 Vl5 = ±7 -\/l6 = ±4. 

For prime p , there are efficient methods for the calculation of the square root 
modulo p, based on GauB’s Golden Theorem, the Law of Quadratic Recipro¬ 
city. 

The situation is different for composite g, say g = p' • p". If the prime 
decomposition of g is known, then square roots ±u of a modulo p' and square 
roots ±w of a modulo p" can be obtained efficiently and y/a modulo q can be 
calculated easily. But for anyone who does not know the prime decomposition 
of g, the computation of \Ja modulo q has been proven by M. O. Rabin (1979) 
as hard as the factorization of g. 
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10.3 RSA Method 

The RSA method is the best known among the open encryption key methods 6 
and is named after Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman 
(1978), the US patent held until Sept. 20, 2000. The RSA method is based 
on the widely accepted conjecture that under certain conditions, raising to a 
fixed power modulo q is a one-way function with trapdoor (Sect. 10.2.4.3). 

10.3.1 For the i-th partner in an asymmetric encryption key net, let 

(1) di = Pi' Pi , where p\ , p” odd primes, p\ ^ p” . 

(2) e* , di G {1,2, ...,%)-1}cZ,.\{ 0}, with 

(2a) gcd (e», A (&)) = 1, (2b) gcd (d», A (&)) = 1, 

(2c) e» • di mod A(&) = 1; 

A denotes the Carmichael function 7 (Robert D. Carmichael, 1879-1967) 

Kp'i ■ p'D = lcm (p'i - 1 , p” - i) - 8 

The RSA method is a highly polygraphic, monoalphabetic block encryption, 
with plaintext characters pj G Z ? . and cryptotext characters Cj G Z ? . . 

The following keys are used with the i-tli partner: 
public e» ( for encryption) 9 , qi 
private di ( for decryption) . 

The encryption step is defined through the one-way function Ei : Z ? . —>Z. q . , 
Ei(m.j) = mod qi = Cj . 

The decryption step is defined through the one-way function Di : Z g . —> Z gi , 
Di(cj) = cf mod qi = ijij . 

This gives an asymmetric signature system, since 
Di(Ei(x )) = Ei(Di(x )) = x for all x G Z g . . 

The proof follows the one in Sect. 9.5.2. It can be based on the following 
corollary of Carmichael’s theorem for relatively prime a , n: 

If b = b' mod A(?i) , then a b = a b mod n . 


6 US Patent No. 4 405 829, September 20. 1983. 

7 In the original publication, instead of Carmichael’s function Euler’s function if is used, 
ifOp'i ■ p") = (p[ — 1) • ip'.' — 1) • The conditions stated guarantee the conditions of the 
original method. 

8 For a general definition of A(n) and its use with RSA see H. Riesel, Prime Numbers and 
Computer Methods for Factorization. Birkhauser, Basel 1985, pp. 276, 227. 

A(n) is a proper divisor of f{n) provided N is the product of two distinct odd primes. 
Carmichael’s theorem states: For relatively prime a , n , a 77 ” 1 mod n= 1 holds ; 

A(n) is the least exponent x such that a :l mod n = 1 for all a relatively prime to n. 
The theorem of Carmichael “... is a very useful, but often forgotten, generalization of 
Euler’s theorem” (H. Riesel). Indeed, Rivest, Shamir, and Adleman do not use the 
theorem and Salomaa also does not in his 1990 book, nor do Beker and Piper (1982). 

9 Since 2 | A (pj • p") , e = 2 is excluded. 
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10.3.2 Example (Salomaa, revised): 

(e,, dt) = (1031, 31963 885 304131991) 

qi = 32 954 765 761773 295 963 = 3 336 670 033 • 9 876 543 211; 

A(*) = 5 492 460 958 093 347120 = 3 336 670 032 • 9 876 543 210 / 6 . 
Even this example with large numbers is unrealistic for practical security. For 
demonstration we use small numbers, suitable for a hand-held calculator. 

In designing a RSA cryptosystem, the trapdoor information is used: we start 
with two prime numbers 

P'= 47 , p" = 59 . 

This results in 

Qi = p' ■ p’l = 47 • 59 = 2773, 

A (ft) = A(2773) = 1cm (46,58) = 2 • 23 • 29 = 1334 . 

Now ei is to be found, such that gcd (e,, 1334) = 1. There are many possible 
choices of numbers, like e* = 3,5,7,... ,19,21,25,27,33,35,37,39,... . 
If a set {e,-'^ } is chosen, even polyalphabetic encryption is possible. 

Take e* = 17. di is obtained from ■ di =1 mod 1334 with the fast 
division algorithm, which gives di = 157 . (d, should not become too small, 
otherwise simple trial and error may help to find it (Sect. 10.4.3). It may 
therefore be preferable to choose di and to determine e*.) 

Thus, the encryption step is 
Ei(mj) = my mod 2773 . 

Because of 17io = 100012 , this step can be performed efficiently by 

^ ((m 2 mod 2773) 2 mod 2773^“ mod 2773mod 2773^ • m mod 2773 . 

The decryption step is 

Di(cj) = c] 57 mod 2773 . 

Encoding the literal characters u (space) 10 , a , b , ... , z with the bigrams 
00 , 01 , 02 , ... , 26 , allows plaintext bigrams to be encoded with numbers 
from Z 2773 , since 2626 < 2773 . 

The message errare u humanum u est 

is first encoded in blocks of length two: 

0518 18 01 18 05 00 08 2113 0114 21 13 00 05 19 20 
and then encrypted: 

1787 2003 2423 0596 0340 1684 0340 0508 2109 . 

Identical plaintext blocks lead to identical cryptotext blocks—the encryption 
is blockwise monoalphabetic. This ECB mode (in DES parlance, Sect. 9.6.3) 
should be protected at least by an autokey as in the CBC mode. Even 
periodic truly polyalphabetic encryption would be far better. 

10 Contrary to classical custom, Rivest, Shamir and Adleman did not suppress the word 
spacing. The literature on the RSA method follows them on this. 
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10.4 Cryptanalytic Attack upon RSA 


Nothing should prevent the cryptanalyst from trying all classical methods 
(see Part H) against RSA encryption. There are also some specific weaknesses: 


10.4.1 Attack by Factorization of qi . The cryptanalyst who finds the 

j/ — 1 j // — 1 

factorization of qi: qi = p'pp'l , can calculate A (qi) = 2 ■ 1 cm (—) 
and from knowing also di. To protect the RSA method against this attack, 
i.e., to make the factorization of qt intractable (the actual factorization is 
frequently more difficult than the mere compositeness proof), the following 
conditions should be fulfilled: 

( 1 ) qi = p\ ■ p” > lO 200 . 

( 2 ) p\ and p" differ in length as dual or decimal numbers by a few digits. 

(3) Neither p[ nor p" is small, or is taken from some table of primes, 
or is of some special form. 


Condition (1) prevents (Sect. 10.2.3) a brute force attack. 

Condition (2) thwarts exhausive search for a representation of qi as a differ¬ 
ence of two squares (a technique going back to Fermat 1643): 


di = P'i ' Pi = ( 


Pi 


// 2 / 
-Pi ) _ 


-) 


Pi + Pi 


going upwards from v dp. 


with values for 

Condition (3) thwarts exhausive search in a rather small set of primes that are 
possibly factors. None of these attacks have been reported so far as having 
been successful, probably because it is easy enough to obey these safeguard 
measures. 


10.4.2 Attack by Iteration (Sect. 9.4.2). Let 

c (o) _ m . (plaintext block), = Cj = Ei(rrij) (cryptotext block) . 

Form the sequence 

C ( R+1 ) = Ei(c (k) ) . 

The least k > 1 with =c^ is called the iteration exponent s mj of irij ; 

s m . indicates the length of the cycle to which TOj belongs. s m — 1 is called the 
recovery exponent of m.j . 

Example 1: As above in Sect. 10.3.2, with nij = 0518. 

(e.j, di) = (17, 157), qi = 2773 = 47-59, A (q,) = lcm(46,58) = 1334 = 2-23-29 


(0) _ m _ 




0518 

(= 

11 

47 + 

1 ) 

(!) — c - 

0518 17 

mod 

2773 = 

1787 

(= 

38 

47 + 

1 ) 

(2) = 

1787 17 

mod 

2773 = 

0894 

(= 

19 

47 + 

1 ) 

(3) = 

0894 17 

mod 

2773 = 

1364 

(= 

29 

47 + 

1 ) 

(4) = 

1364 17 

mod 

2773 = 

0518 = rrij 
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Here we have arrived at plaintext, with a recovery exponent s mj = 3 . The un¬ 
authorized decryptor cannot yet know this; he finds at the next iteration step: 

c (5 > = 0518 17 mod 2773 = 1787 = cj . 

From the corollary of Carmichael’s theorem (see Sect. 10.3.1): 

c (fc) _ m y moc i 2773 = mj 7 mod 1334 mod 2773 . 

But 17 44 mod 1334 = 1 . Therefore c^ 44 -* = m] mod 2773 = rrij , and 44 
is an upper bound for the longest period that can occur with e, = 17. Note 
that 44 is a divisor of A(A(47 • 59))= A(2 • 23 • 29) = lcm(22, 28) = 308. 11 
In fact, the total of 2773 elements of Z 2773 is partitioned into 
9 cycles of length 1 (fixpoints) „ 

42 cycles of length 4—including the cycle starting with 0518, 

6 cycles of length 22, 

56 cycles of length 44 . 

Example 2: 

(e*, di) = (7, 23), qi = 55 = 5-11, A(&) = A(55) = lcm(4,10) = 20= 2 • 2 • 5 
The example is small enough that all cycles can be listed: 

9 fixpoints: 

(0) (1) (10) (11) (21) (34) (44) (45) (54) 

3 cycles of length 2 : 

(12,23)' (22,33) (32,43) 

10 cycles of length 4: 

(2,18,17,8) (3,42,48,27) (4,49,14,9) (5,25,20,15) (6,41,46,51) 

(7,28,52,13) (16,36,31,26)(19,24,29,39) (30,35,40,50)(37,38,47,53) 

Since 7 4 mod 20 = 1, 4 is an upper bound for the longest period that can 
occur with e* = 7. Note that A(A(5 • 11)) = A(2 -2-5) = lcm(l, 4) = 4. 11 

Example 3: 

(e*, di) = (3, 675), qi = 1081 = 23 • 47, A(&) = lcm(22,46) = 506 = 2 • 11 • 23 
Since 3 55 mod 506 = 1, 55 is an upper bound for the longest period that can 
occur with e* = 3 . Such a cycle of length 55 is 
(512,768,430, 531,629, 98,722, 683,209, 284,995,653, 16,853, 
813,535,239,1051, 25,491,190, 55,982, 439, 54,719,676,568, 

393,307,397, 331,384,324,721,1041,860,1005,991,675,213,538, 
660,807,606, 627,101,108,347, 192,581, 354,867, 2, 8). 

Note that 55 is a divisor of A(A(23 • 47)) = A(2 • 11 • 23) =lcm(10, 22) = 110. 11 

There are typically 16 cycles of length 55, 12 cycles of length 11, 12 cycles 
of length 5 and again 9 cycles of length 1 (fixpoints): 

(0) (1) (46) (47) (93) (988) (1034) (1035) (1080). 


11 A(2 • p' • p") = lcm(l, pt — 1, p" — 1) = lcm(p' — 1, p" — 1). 
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Protecting the RSA method against attack by iteration means achieving a 
large recovery exponent for a large majority 12 of elements rrij £ Z ? . . To 
allow this, A(A(< 7 i)) should be as large as possible. In fact, there is the 

Main theorem on the iteration attack. For all e, that are relatively 
prime to X(qi ), the iteration exponent is a divisor of A(A (q )); this bound 
for the iteration exponent can be attained (see Example 2) for suitable e,. 


(4) both 


The proof is based on the corollary of Carmichael’s theorem: 

(k) eJ , j e( mod A (qi)\ , 

c v ’ = rrij mod q,; = (m- ) mod qi 

, k mod A(A(g 4 )K d \ / \ 

= (rrij 4 * ) mod . 

With k = X(X(qi )), the result is 

C (A(A(««))) = m e i moc l q. = mod A ^) mod g,. _ m i moc j q. _ c (o) _ 

Thus, A(A(gj)) is a period and a multiple of the iteration exponent. 

To prevent at least X(q i ) = X(p' i -p”) = 2 -lcm(^X ) ~ 1 ) (for 2) from 

becoming small, the following conditions for p\ and p" should also hold: 

and Pi 2 1 contain large prime factors. 

(5) gcd(^- L , ^ i 2 - 1 ) is small. 

Conditions (4) and (5) are optimally fulfilled, if p\ and p" are safe primes 
(Sect. 9.5.2): then anc i p t - 1 are prime, A (qi) = 2- ~ 1 ~ qi/2. 

The effort to find safe primes may be worthwhile, but it is an open problem 
whether or not there are infinitely many safe primes. 

Furthermore, preventing also A(A (qi)) from becoming small, in view of 
A(2 • ^ = 2 • 1 cm ((£bi — l )/2 , (^ - 1 )/ 2 ) = 2 • 1 cm (^ , 

means that the following conditions for p\ and p" should hold, too: 

( 6 ) both p ‘ 4 3 and Pi 4 3 contain large prime factors. 

(7) gcd(^ , is small. 

Conditions ( 6 ) and (7) are optimally fulfilled, if in addition 


p'i- 1 


and 


Pi 2 1 are safe primes, i.e., p( and p" are doubly safe primes’, 

p ^—3 p'i' — 3 


then — and Pi 4 3 are prime, A(A(( 7 ,;)) = 2 4 4 . 

Doubly safe primes are 11, 23,47, 167, 359 , 719, 1439, 2039, 2879,4079, 
4127,4919, 5639, 5807, 5927, 6047, 7247, 7559,7607, 7727, 9839, 10799, 
11279, 13799, 13967, 14159, 15287, 15647, 20327, 21599, 21767, ... ; also 
2 684 999, 5 369 999, and 10 739 999. Apart from 11 , all doubly safe primes 
are of the form 24a — 1. For doubly safe primes p' , p” , A(A(gi)) « q,/& . 


More cannot be expected, since there are always even fixpoints of the iteration; in fact 
Salomaa (in his 1990 book) has shown that there always exist nine of them. 
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10.4.3 Attack in Case of Small e,. The effort involved in RSA en¬ 
cryption is small if e* is small—in the extreme = 3 . This may be advan¬ 
tageous if the sender has limited computing power, e.g., in case it is a smart 
card, and if the receiver does not suffer from a rather big di , e.g., in case it 
is a central computer. 

Using small di invites an exhaustive decryption attack and should therefore 
be avoided. But using small e, is dangerous, too, in the case that one and the 
same plaintext message block m ? using the same power ei = = • • • = e s = e 

is sent to many different receivers with (presumably pairwise relatively prime) 
< 7 i , <72 > ... q s , the cryptotexts being m® mod <71 , m® mod <72 , ... to® mod q s . 
From these intercepted cryptotexts, with the help of the Chinese Remainder 
Theorem, the value of m! = to| mod < 71 -< 72 -. ■ ••< 7 S can be computed. But since 
m! is less than each of the individual moduli, the equation to j = m! holds. 
This equation with known m! and known small e (although involving rather 
big numbers) can be solved for m,j , 13 The break is not complete: di is still 
left open. 

10.4.4 Risks. There are not only certain plaintext blocks that should be 
avoided since they lead to very short recovery exponents. Example 2 shows 
that there are also choices of e,; that lower the maximal cycle length. Certain 
choices of e* are to be avoided totally: e* = A(< 7 ,) +1 means that di = A(gj) + 1 
and Ei(uij) = Di(mj) is the identity, so all rrij become fixpoints. 

There are also surprising findings: If for a given product qi = p\ ■ p" of two 
primes p \, p” X(qi) can be computed, then the factorization of qi can be 
computed. In fact, if p \ 2 1 and — 2 1 are relatively prime, the equations 
qi — 2 • A(< 7 j) + 1 = p'i + p" and q, = p\ ■ p" determine the two factors. 

10.4.5 Shortcomings. The RSA method is widely considered as practi¬ 
cally secure, provided the conditions stated above are observed; at least no 
serious successful attacks have been published. 

But the RSA method has disadvantages: 

RSA needs relatively long keys < 7 ,, in near future of 1024 or more bits. 
RSA is slower than DES by a factor of about a thousand. 

10.5 Secrecy Versus Authentication 

Because it is a public key system, an open encryption key system is confronted 
with a problem that classical, symmetric encryption methods have neglected 
for a long time: their proponents were only concerned about the passive 
enemy’s reactions, reading or eavesdropping encrypted messages transmitted 
by rather unprotected channels like wire, radio signals, or optical and acoustic 

13 M. J. Wiener, Cryptanalysis of short RSA secret exponents. EUROCRYPT ’89 Pro¬ 
ceedings. Lecture Notes in Computer Science 434, Springer 1990. 

Also: IEEE Transactions on Information Theory, Vol. 36 No. 3, May 1990, pp. 553-558 . 
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means. The goal of encryption was to make such cryptanalysis as difficult as 
possible. The possibility of active influence on the message channel was not 
taken very seriously, and the impossibility of penetration was simply taken 
for granted. This was careless. 

Wireless contact with spies, however, showed the problem at its human end: 
a spy could be captured and somebody else could operate his radio set. Such 
a Funkspiel occurred in 1942 and 1943 between the Germans and the British, 
involving a Dutch underground agent. It is always necessary to insist on a 
signature from the operator, although even that would not help if the oper¬ 
ator was ‘turned around’, too. If however the operator were working under 
pressure, he would often omit the ‘security checks’ he was supposed to inter¬ 
sperse regularly as an authenticator. All this was quite similar to civil use of 
signatures. In sensitive matters, authentication is as important as classical 
secrecy. 

But there exists a deep conflict as the following example shows: A message 
with the character of an alarm can be recorded and infiltrated later, which 
allows the release of false alarms. This can be suspended by a time indica¬ 
tion within the message—but this causes a plaintext-cryptotext compromise 
(Sect. 11.2.5) with the danger of a break. Secrecy and authentication are two 
different things, and one does not imply the other. 

The conflict is further illustrated by the role redundancy plays. An encrypted 
message is better protected against cryptanalysis, the less redundancy it con¬ 
tains; against counterfeit, the more redundancy it contains. This can be 
learned from banknotes and handwritten signatures. Secrecy is antagonistic 
to authentication, and to achieve both requires two measures that are in¬ 
dependent of each other. This can be seen in the definition of a signature 
method (Sect. 10.1.3) as opposed to a secrecy-only method. 

Encryption methods that are also signature methods offer additional identi¬ 
fying information according to a prearranged etiquette (‘protocol’) and prior 
error-detecting and error-correcting (Sect. 4.4.6) coding. 

Asymmetric methods show their strength particularly in authentication and 
are useful for key negotiation, the dangerous part of key management. This 
was pointed out from the beginning by Diffie and Heilman. The large amount 
of time asymmetric methods require (it can be larger than symmetric meth¬ 
ods by several powers of ten) is not only justified, it can also be afforded 
for signatures as well as for key negotiation, since they are usually short 
compared with messages. Asymmetric, open encryption key systems and 
classical symmetric systems are not antagonistic, but supplement each other. 
In international banking, the data are usually only weakly encrypted, but 
authentication is given high priority (and is highly profitable). 

The Digital Signature Standard (DSS) of the National Institute of Stan¬ 
dards and Technology (NIST) of the USA is based on the Digital Signature 
Algorithm (DSA), which, infringing on patents of Schnorr and ElGamal, uses 
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as one-way function the discrete logarithm function (Sect. 10.2.4.2). There 
was criticism, in particular that it was not the RSA method that was stan¬ 
dardized. Quite generally, cryptanalysis by preprocessing is advocated. 

All one-way functions mentioned so far come from residue classes in arith¬ 
metic. Another one-way function, which is mathematically highly interesting, 
comes from the ‘knapsack problem’, a problem in integer programming. 

The standardised Secure Hash Algorithm of the NIST allows on both sides 
of the transmission line the formation of 160-bit check groups. 

10.6 Security of Public Key Systems 

Shannon certainly did not want his admonitory maxim “The enemy knows the 
system being used” to be interpreted in the sense that the enemy should be gi¬ 
ven the complete machinery. ‘Open encryption key systems’ says better than 
‘public key systems’ that decryption keys and the rest are kept secret. This 
openness has technical reasons, not political ones, and a necessity is made 
into a virtue (nowadays also with symmetric methods, which do not need to 
be open). Among the public, the expression ‘public key’ may have given the 
impression that cryptanalysis is more than ever in the public domain. 

This is not so, of course. Cryptanalysis is still wrapped in a mystery inside 
an enigma. Nevertheless, I cannot help observing that the commercially used 
open key systems must be a great joy for the professional cryptanalyst. Apart 
from the system-oriented kinds of attack, all classical attack routes are wide 
open. In particular, these systems will be used too long and will be used 
under heavy traffic with one and the same running key started over and over 
again. Clever ideas may lead to illusory complications; for example, the use 
of doubly safe primes could open an avenue of cryptanalytic attack. 14 
The pretence of security that is given to the user is often wrongly based on 
nothing but combinatorial complexity. The situation in complexity theory— 
a rather difficult part of mathematics—is characterized by the fact that it 
gives almost exclusively upper bounds; lower bounds, say for the effort of 
factorization into primes, are not obtainable. 

The elimination of the classical crypto clerk, the ‘cipher clerk’ or ‘code clerk’, 
his replacement by a computer plus a typist, makes security even harder: the 
elimination of encryption errors, which were once the privilege of the crypto 
clerks, is by far counterbalanced by the lack of experience and shrewd intellect 
that are the only remedy for dangerous cryptological mistakes. 

Thus, it cannot be expected that the proposed public encryption systems are 
out of the reach of expert cryptanalysts, especially in the executive author¬ 
ities. The professionals, however, are very reserved and do not brag about 
their competence, which they are more inclined to understate. 

14 Anton Gerold has shown that conclusions can be drawn from the module on the structure 
of the doubly safe prime factors. 
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Encryption Security 


Even in cryptology, silence is golden. 

Laurence D. Smith 

Passwords serve to select a method from a class of methods, and keys especial¬ 
ly to select encryption steps from an encryption system. It is wise to assume 
pessimistically that the enemy knows what method has been chosen—there 
are not too many of them, and most cryptographers are familiar with only 
a few. The ‘basic law of cryptology’, which Kerckhoffs 1 had formulated as 
“il faut qu’il puisse sans inconvenient tomber entre les mains de TennemC 
was expressed more succinctly by Shannon in 1949: “the enemy knows the 
system being used.” It follows that one must be particularly careful in the 
choice of a key. It is a serious mistake to use obvious words. Giambattista 
Della Porta gave the express warning: “the further removed the key words 
are from common knowledge, the greater the security they provide.” The 
use of keys had hardly become common practice before unauthorized persons 
succeeded in decrypting messages by guessing the key word. 

Della Porta reported having solved a message within a few minutes, by guess¬ 
ing at the key phrase OMNIA VINCIT AMOR. Giovanni Batista Argenti 
also made the lucky guess IN PRINCIPIO ERAT VERBUM. Words such 
as TORCH and LIBERTY, GLOIRE and PATRIE, KAISER and VATER- 
LAND , expressing noble patriotic sentiments, may be very good for boosting 
morale, but are most unsuitable as cryptographic keys. (It is astonishing 
how many people choose their name or date of birth as a computer pass¬ 
word. Perhaps they are incapable of remembering anything else.) 

11.1 Cryptographic Faults 

By faults we mean infringements of security; not just the use of an obvious 
key, but anything which makes life easier for an unauthorized decryptor. 
“Funken ist Landesverraf (Radioing means high treason) was uttered at the 
beginning of the war, according to his successor General Albert Praun, by 
Major General, later General, Erich Fellgiebel, 1939-1944 Head, Signal Com¬ 
munications of the Supreme Command, German Armed Forces ( Chef der 
Amtsgruppe Wehrmacht-Nachrichtenverbindungswesen im OKW ). Indeed, 


1 Auguste Kerckhoffs (1835-1903), Flemish professor (La cryptographie militaire, 1883). 
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radio communications plainly invite eavesdropping; they should be used only 
if all other, safe means of communication are exhausted or inaccessible. The 
disciplined German army obeyed the rule—radio silence on the German side 
prior to the beginning of the Ardennes offensive in 1944 took the Allies by 
surprise—and likewise the German Navy—although at sea wire connections 
cannot be used and flag signals have limited range. However, radioing was 
considered by the German Air Force as ‘normal’ (J. Rohwer). Goring’s well- 
known bravado could lead to excessive ‘Lust zu funken’ (desire to radio), 
transmitting unnecessarily detailed reports and this not only on Air Force 
matters, but even on the situation of the Army formations (R. Elble). In¬ 
sufficient leadership and lack of supervision was characteristic of the spirit 
within Goring’s Supreme Command of the Luftwaffe. 

11.1.1 Compromises. Beyond such cardinal blunders, there are many 
opportunities to violate cipher security. That includes, of course, typing er¬ 
rors during encryption. These make the work of the authorized decryptor 
difficult or even impossible. In the latter case, disaster is just round the 
corner: he must ask for the message to be repeated. If the original word¬ 
ing is encrypted with the same key (correctly, this time), then it is an easy 
matter to compare the two messages, which will generally be identical up to 
the point where the error occurred, and some ‘differential cryptanalysis’ of 
this ‘plaintext-plaintext compromise’ will provide clues. If a different key is 
used on the same message (‘cryptotext-cryptotext compromise’), suitable 
procedures can occasionally yield the key—even if the key was a progres¬ 
sive one in which the alphabets were not yet repeated. Incredible as it may 
seem, in the Second World War the Germans frequently radioed the same 
orders to several units, belonging to different key nets, using different en¬ 
cryption methods or keys—the identical length inevitably aroused suspicion. 
A telling example is given by the fact that on January 30, 1943 the promotion 
of Donitz to Admiral of the Fleet was transmitted over all key nets in iden¬ 
tical wording—not even padding it by dummy texts of different length. The 
only safe way out is to rewrite the message using different words and phrases. 
Not even the Russian method (Sect. 3.4.2) of cutting the message somewhere 
in the middle and joining the parts in reverse order can help in such cases. 

11.1.2 Other trivialities. Another classic technical mistake is to repeat 
an encrypted message in plain; for example, because the recipient has not yet 
received the new key. The method and in the case of a Shannon encryption 
(Sect. 2.6.4) even the key can now be reconstructed. That may compromise 
not just the key for the day, but also the basic method used for constructing 
or selecting the daily key, or compromise a codebook. For that reason, “woe 
betide anyone who transmits plain text” was a cast-iron rule of Lieutenant 
Jager (Sect. 4.4), who was a favorite of the Allied cryptanalysis groups. 

It is obviously a climax in the life of a professional cryptanalyst to expe¬ 
rience a compromise, and equally understandable that the secret services 
employ all their cunning to try and provoke such an occurrence. In 1941 
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a senior Japanese civil servant managed to slip the American ambassador 
Joseph C. Grew a note, with the remark that a member of the Japanese 
government wanted to communicate the message to the US government but 
was afraid that the military leaders might get wind of it, and would he there¬ 
fore transmit it in the most secret diplomatic code. That was M-138-A, 
and so the encrypted text of a known message flashed across the ether. Never¬ 
theless, it was said that the Japanese failed to break M-138-A. 

There was a similar story at the time of the Dreyfus affair. When Alfred 
Dreyfus was arrested in 1894, on the flimsiest of accusations, and La Libre 
Parole joyfully trumpeted the news, General Panizzardi, the Italian military 
attache at the Quai cl’Orsay, sent a telegram back to Rome. The French 
cryptanalysts, who were passed a copy, had reason to believe that Panizzardi 
had used the commercial (!) Baravelli code (Sect. 4.4.3) which operated with 
groups of one, two, three, and four, and that the code was then super- 
encrypted. Searching for the sequence /dreyfus/, which would have to be 
encoded as 227 1 98 306, they found the pattern 527 3 88 706 and so knew 
that the recrypting affected only the first digit of each group (it was achieved 
by renumbering the pages of the code book). They were able to decrypt the 
message with the exception of the last four groups. It was suspected that 
these signified uffiziale rimane prevenuto emissaria, which was taken (by 
Sandherr, the chief of intelligence) as evidence of Dreyfus’ guilt. The next 
day they worked out the system of page renumbering, which yielded uffizial- 
mente evidare commenti stampa. This exonerated Dreyfus, but Sandherr was 
unconvinced. “These things are always somewhat imprecise,” he commented. 
So Matton, one of Sandherr’s subordinates, had the idea of palming a mes¬ 
sage on Panizzardi. A double agent leaked him a text made to look like an 
important message, and Panizzardi passed it on almost word for word. The 
cryptanalysts were not aware of what was going on, and decrypted the mes¬ 
sage almost immediately; Matton was now convinced he had been right. All 
the same, a falsified version was presented in court, and it took until 1906 be¬ 
fore Dreyfus was acquitted. France has still not got over its Dreyfus scandal: 
in February 1994 the French Defense Minister Frangois Leotard dismissed 
the head of the Armed Forces historical archive, Colonel Paul Gaujac, for 
publishing an ‘unacceptably tendentious analysis’ of the Dreyfus case. 

The Austro-Hungarian empire also had its triumph. After Figl’s team had 
analysed 150 words of an Italian diplomatic code used between Rome and 
Constantinople, they increased their knowledge step by step by a process 
of smuggling fragments of information of military relevance into an Italian 
newspaper published in Constantinople. Within a month they were able to 
extend their vocabulary to 2000 words. 

An even simpler method is one the Russians are famous for: stealing the 
plaintext from the ambassador. Italy, too, had its penetrazione squadra. 
After such a theft the diplomat is quick to assure his government that the 
code in use, which is now compromised, was not a very important one. 
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An example of an obsolete code was the US State Department’s GRAY code 
(meaning the color gray and not Gray’s method of binary encoding). When 
it came into use at the end of the First World War to replace the outdated 
and already compromised RED, BLUE, and GREEN, nobody thought it 
would remain in use for two decades. The Foreign Service officers were so 
familiar with it that they could deliver extempore speeches in GRAY. On 
December 6, 1941 Franklin Roosevelt sent a memo to Cordell Hull: “Dear 
Cordell—shoot this to Grew [the American ambassador in Tokyo] —I think it 
can go in gray code—saves time—I don’t mind if it gets picked up. FDR.” It 
was too late to achieve the desired effect; it took time to decrypt the text, 
and the personal peace overture which Roosevelt wanted to communicate to 
Tenno would in any case not have prevented the attack on Pearl Harbor. 

11.1.3 Revealing words. These episodes show up a general method of 
cryptanalysis, that of the probable word. Such words are often based on cur¬ 
rent events; then the message must be rephrased. In the First World War, 
French troops carried out attacks on German positions simply to trigger 
certain ‘probable words’ in German radio transmissions—it is a good thing 
that soldiers seldom know what they are risking their lives for. In the Second 
World War the British sank a lighted buoy which marked a channel through 
the otherwise mined entrance to Calais, merely in order to trigger a German 
message containing the sequence /leuchttonne/ (Sect. 14.1). 

Besides words such as attack, bombardment, etc., military communications 
contain a treasure of conspicuous words and stereotyped phrases such as head¬ 
quarters and general staff, division, and radio station. The same message re¬ 
peated daily—even if it only reports “nothing to report” —can have a devas¬ 
tating effect. It provides a chink for applying the method of the probable 
word, just like the words love, heart, fire, flame, burning, life, death , which 
Della Porta listed as being the immutable building blocks of love letters. 
Stereotyped phrases can nullify the advantages of a change of key: the new 
key can rapidly be deduced from the repeated sequences. Not everyone, of 
course, will be as lucky as Lieutenant Hugo A. Berthold of office G.2A.6 of 
the American Expeditionary Forces, who intercepted a radio transmission at 
07:40 on March 11, 1918, which consisted of a string of digits and was evi¬ 
dently in a new key; a few hours later he heard a message of the same length 
but in letters—the recipient had not received the new ciphering instructions 
and had requested a repeat transmission in the old key. And with the PLAY¬ 
FAIR manual key used by the German Afrika-Korps, a similar compromise 
took place when the key was changed on January 1, 1942. 

It had far-reaching consequences when the existence of the forthcoming 
4-rotor ENIGMA was revealed late in 1941 by several practice transmissions 
in parallel with a message encrypted using the 3-rotor ENIGMA. As a result, 
Bletchley Park was able to work out the wiring of the new (‘Greek’) rotor /3 
before the new ENIGMA M4 was officially introduced on February 1, 1942. 
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Even in peacetime it is important to master the craft: because nobody 
knows any better, standard texts and obvious phrases are transmitted on 
manoeuvres. If the wording is sufficiently unimaginative, the entire cryptosys¬ 
tem can be revealed before a single shot is fired. As Hiittenhain wrote: “It is 
a mistake to take as the main encrypting method one that has already been 
used by a small circle over an extended period.” As far as the—sometimes 
unavoidable—stereotyped beginnings and endings are concerned (‘For Mur¬ 
phy’: Sect. 4.4), even the method of ‘Russian copulation’ is of little help; 
nevertheless, it can put inexperienced codebreakers off the scent. 

11.1.4 Dummy filling. The very fact that a message is being transmitted 
may be significant. Knowing that the communications channels are likely to 
be heavily loaded during a major military operation, staff officers tend to send 
their personal messages a few days beforehand. This is called the underwear 
effect. If conditions allow, the communications channels should be kept open 
all the time, and ‘dummy filling’sent during quiet periods—not test phrases 
or excerpts from newspaper articles, but irrelevant and nonperiodic sequences, 
if possible random text or better synthetic language with a multigram letter 
frequency similar to some natural language (‘traffic padding’). Non-periodic 
sequences can be generated by starting at random or irregular points in a 
text of, say, 10 000 words. Still better, using a method proposed by Shannon 
in 1945, Kupfmiiller in the 1950s, an ?r-gram approximation is obtained from a 
master text by using a shift register process: Taking the last n — 1 characters, 
the next word in the master text is sought that contains these consecutive 
characters; then the following character is adjoined and the process is re¬ 
peated. With a tetragram approximation, from the first chapter of a famous 
novel by Thomas Mann the following synthetic nonsense text was derived: 

thomas ist daher mit mein hand zeigen augen von geschaeftig 
im kreissigen mauemdisellschaeftwar zur seligen durchterlich 
hier familie hierheben herzigkeit mit eindrinnen tonyzu 
plaudertfuenf uhr erzaehlungich regeshaehm die konnte 
neigte sie dern ich was stuetzte heissgetuebrige wahrend tause 

Traffic flow security by ‘padding’ with nonsense text greatly increases the 
load on the unauthorized decryptor and delays his decryption of a genuine 
message. On the other hand, the intended recipient must be on his guard 
not to overlook an occasional genuine message in the flood of garbage. 

11.1.5 Stupidity. Even thoughtless filling with /x/s, repeating a word or 
the use of letter doublets can present a risk. The solution is to rephrase the 
sentence or use synonyms or homophones (chosen at random!)—this includes 
the use of nulls to conceal partial repetition in the vicinity of homophones. 
And it is one of the basic rules of professional cryptography to suppress not 
only punctuation but also word spacing. Thus it is horrifying to think that 
it was common practice (if not explicit orders) in the German Wehrmacht 
to insert /x/ for stop, /y/ for comma, /]/ for quotation marks, and even 
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/xx/ for colon, /yy/ for hyphen. Sometimes, numbers encoded by letters 
were bracketed: /y/.../y/ Important words were doubled, i.e., /anan/ for ‘to’ 
and /vonvon/ for ‘from’, /kk/ for klar , /krkr/ for Kriegstelegramm (‘very 
urgent’). And even tripling of letters was used: /bduuu/ for Befehlshaber 
der U-Boote, /okmmm/ for Oberkommando der Marine , /vvv/ alternatively 
for ‘from’ (on the other hand, German /ch/ was frequently replaced by /q/). 

An example is given by the message sent by the German battleship Bismarck 
shortly before she sank on May 27, 1941: 

KRKR FLOT TENC HEFA NANO KMMM XXTO RPED OTRE FFER ACHT ERAU 

SXSC HIFF MANO EVRI ERUN FAEH IGXW IRKA EMPF ENBI SZUR LETZ 

TENG RANA TEXE SLEB EDER FUEH RERX (Most immediate. Torpedo hit 

right aft. Ship unmanoevrable. We fight to the last shell. Long live the Fiihrer.) 

These antics, together with the inevitable ‘by order of the Fiihrer’ and ‘Heil 
Hitler’, which nobody dared suppress, greatly aided the British in break¬ 
ing ENIGMA. They were so used to these foolish German habits that they 
became quite indignant when decrypted ENIGMA transmissions produced 
meaningless sequences (in Bletchley Park jargon quatsch) at the beginning 
and end of a message. 

More attention was paid to these things at the time of Alberti and Della Porta 
than in the 19th and 20th centuries, when people had become overconfident 
of the uncrackability of superencrypted codes and other combined methods. 
Suppression of double letters is only one of the ‘deliberate spelling mistakes’ 
which Leone Battista Alberti, in De cifris , recommended. As Giambattista 
Della Porta so wisely wrote in 1563, “For it is better for a scribe to be thought 
ignorant than to pay the penalty for the detection of one’s plans.” Unfor¬ 
tunately, the more senior the officer, the less he can be expected to show the 
insight needed to put up with disfigured texts. The ideal crypto clerk would 
possess cold-blooded intelligence combined with poetic imagination and a to¬ 
tal disregard of conventional spelling. Of course it is tempting to encipher 
‘radio’ and ‘station’ separately, or even spell them out in letters, like the Aus¬ 
trian clerk who was too lazy to look up the right combination; that provided 
Luigi Sacco with a break in 1918 (Sect. 13.4.1). The same applies to misusing 
nulls as word spacings; some members of the French resistance used ‘tabac’ as 
a dummy, which may have brought the required reinforcements but also led to 
the cracking of a double transposition. One careless mistake can have disas¬ 
trous consequences. “The sending of this one message must certainly have cost 
the lives of thousands of Germans” wrote Moorman, the chief of G.2 A.6, 
about Berthold’s episode (Sect. 11.1.3), which revealed the plans for the Ger¬ 
man offensive of March 21, 1918. 

11.1.6 Enlightenment. It is the mark of a good signal officer that he ex¬ 
plains to his subordinates how the slightest encrypting mistake plays into the 
hands of the enemy, and he also monitors their efforts. Givierge 2 writes 

2 Marcel Givierge, French general, successful cryptanalyst in the Second World War, au¬ 
thor of Cours de Cryptographic, Paris 1925. 
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“encode well or do not encode at all. In transmitting cleartext, you give only a 
piece of information to the enemy, and you know what it is; in encoding bad¬ 
ly, you permit him to read all your correspondence and that of your friends.” 
However, this well-meant advice should not be interpreted so literally as to 
transmit radio messages without encrypting them. That happened at the end 
of August 1914 with Rennenkampf’s Russian Narev army in East Prussia, be¬ 
cause the troops had not yet received the code books and the telephone lines 
were overloaded or non-existent. Hindenburg and Ludendorff won the battle 
of Tannenberg thanks to the clear signals the Russians sent; nevertheless 
they became popular heroes as a result. At the other extreme, the Germans 
encrypted in the Second World War weather reports in the International Me¬ 
teorological Code; as the prevailing wind is westerly in Europe, that often 
provided the ‘probable word’ and lead to compromises with U-boat messages. 
It would have been better to transmit such low-priority messages in Klartext. 
Rohrbach recommended (Sect. 11.2.5) including vulnerability to errors when 
assessing the security of a method, on the principle that humans err. Rules 
of intelligence security and counter-intelligence also play an important role. 

11.1.7 Proof in court. The use of easily memorized passwords and keys 
provides the unauthorized decryptor with a kind of proof; for example, in 
court, if he succeeds in reconstructing a key. That is particularly true if the 
key has some special significance for the originator of the message. 

11.1.8 Negligence is dangerous. The organizational inconvenience of 
maintaining crypto security must not be underestimated. Regular changes of 
key make work for all concerned. Even so, it is hard to understand why the US 
State Department was still using such short key words as PEKIN and POKES 
as late as 1917, though Della Porta used CASTUM FODERAT LUCRETIA 
PECTUS ALGAZEL ; the Argentis had used keys such as FUND AMENTA 
EIUS IN MONTIBUS SANCTIS or GLORIA DICENTUR DE TE QUIA 
POTENTER AGIS. As Vigenere wrote: “the longer the key, the harder is 
the cipher to break.” 

A necessary condition of polyalphabetic encryption is that it be quasi-non- 
periodic; that is to say, if the key is periodic it must not be significantly 
shorter than the message. If necessary, a long message must be chopped up 
and the parts encrypted with different keys. Hitt’s warning that “no mes¬ 
sage is safe unless the key phrase is comparable in length with the message 
itself” does not mean that the message may be as long as the period of the 
key—whether or not an encrypting machine is used. Messages of over 1000 
characters are in any case at risk, since automatic decryption techniques for 
the M-209, for example, work well with a message of about 800 characters or 
more (pure cryptanalysis, Sect. 22.2.3.1). Messages of 200-300 characters are 
normally safe from such an approach; a maximum length of 500 characters 
was allowed with the M-209. The limit for the Army ENIGMA was 180 char¬ 
acters, increased to 250 characters after Jan. 13,1940 (Sect. 8.5.3), 320 char¬ 
acters for the Navy ENIGMA. Longer messages had to be divided into parts. 



218 11 Encryption Security 


The use of an individual key represents additional organizational effort and re¬ 
quires extra security and counter-espionage measures. There are many situ¬ 
ations where it becomes impossible, for example, in isolated positions where 
the (safe) supply of new keys cannot be guaranteed, or where a stock of indi¬ 
vidual keys might fall into the hands of the enemy and be used for deception. 

11.1.9 Authentication. This raises the question of how a receiving sta¬ 
tion can tell whether a radio message originates from a legitimate partner 
or an impostor. The cryptographic measures mentioned in Sect. 10.5 can be 
supplemented by steganographic measures (security checks), such as insert¬ 
ing particular null characters at specific points in the cryptotext, or making 
deliberate spelling mistakes at agreed points in the plain text—quite apart 
from the ‘fist’, the individual transmitting style (a ‘radio fingerprint’) of the 
operator who does the Funkspiel ‘playback’. 

11.1.10 Unlawful attack. It is worth mentioning the most banal and most 
brutal cryptanalytic method: the capture of crypt documents by espionage, 
theft, robbery, or as spoils of battle. The best way of protecting oneself 
against that is obvious, yet frequently ignored: What no longer exists cannot 
fall into unauthorized hands! (Karl WeierstraB took that to heart with Sofia 
Kovalevskaya’s letters.) The maxim applies particularly to individual keys: 
the used key tape from the cipher machine should be shredded at once 
(Sect. 8.8.2) or otherwise made unserviceable, as was done with the Siemens 
SFM T 43. Planning for multiple use of individual keys (Sect. 8.8.7) is absurd. 

11.1.11 Battlefield attack. It is a truism that war can bring rich booty. 
That applies particularly to cryptological material. For example, the German 
submarine U-33 was captured by the Royal Navy in the Firth of Clyde on 
February 12, 1940. The otherwise reliable radio operator Kumpf forgot to 
throw the ENIGMA rotors overboard. The Poles had already worked out the 
wiring of the first five, but rotors VI and VH were new to the British. In Au¬ 
gust 1940 rotor VIII was captured, too. On April 26, 1940 the German Q-boat 
Polares (Vorpostenboot 26) was seized off Alesund. The British found match¬ 
ing plaintext and cryptotext for the previous four days, although this was not 
enough to allow the encryption of the naval ENIGMA to be fully broken. The 
operating instructions captured from the submarine U-13 in June were also 
of little help. The breakthrough came the next year: on March 4, 1941 the 
capture of the trawler Krebs in the Norwegian Vestfjord produced not only 
two familiar rotors but also the complete keys for the previous month. This 
allowed BP to read in March 1941 all of the February Kriegsmarine signals. 
As a consequence, the reconstruction of the bigram tables used was possible. 
On May 7, a planned attack on the weather ship Munchen provided complete 
keys for June (those for the current month, and the machine itself, had been 
thrown overboard) and also the Wetterkurzschliissel. The U-110 was forced 
to surface in a depth-charge attack off the west coast of Ireland on May 9,1941 
and was boarded by a crew of the destroyer HMS Bulldog', the booty in¬ 
cluded besides another ENIGMA machine a golden treasury of rules for its 
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use, including the BACH bigram table (Sect. 4.1.2) for encoding the indica¬ 
tor, and also the Kurzsignalheft. Finally, there was another planned attack 
on a weather ship, the Lauenburg, on June 28, 1941. The Germans managed 
to ditch the ENIGMA, but the British captured the complete keys for July. 
That gave Bletchley Park a breakthrough for the 3-rotor naval ENIGMA; 
from then on, they could eavesdrop regularly on radio communications to and 
from submarines, with only a few hours’ delay—with obvious consequences. 
The introduction of the 4-rotor ENIGMA on February 1, 1942 caused a black¬ 
out, but by December 1942 the signals could again be decrypted on a regular 
basis, and the Allies gained the upper hand in the U-boat war. This was 
again achieved by capture, which brought to light an incredible stupidity on 
the part of Eberharcl Maertens, Head, and of Ludwig Stummel, Chief of Staff, 
of the Marine-Nachrichtendienst. The seizing of the U-559 off Port Said on 
October 30, 1942 by HMS Petard provided a new edition of the Kurzsignalheft 
and a second impression of the Wetterkurzschliissel, which would have been 
a fair prize in itself. In addition, Philip E. Archer managed on December 13 
to decrypt a message that showed that when the 4-rotor ENIGMA was com¬ 
municating with coastal stations that had only a 3-rotor machine, the fourth 
rotor (the Griechenwalze ) was simply placed in the neutral position. That was 
a convention which made communication possible. The stupidity was that the 
three-letter ring setting of the 3-rotor ENIGMA was always the same as the 
first three letters of the ring setting for the 4-rotor machine. That was not ne¬ 
cessary, but was done purely for convenience in producing the monthly or¬ 
ders. It meant that if the enemy knew the ring setting for the 3-rotor machine, 
then only 26 attempts were needed to find the setting for the ‘Greek’ rotor. 
Thus, starting with December 13, 1942 the British finally cracked the 4-rotor 
ENIGMA for the entire TRITON key net of the submarines (introduced in 
1941); even the introduction of a second Greek rotor on July 1, 1943 did little 
to alter their complete mastery of ENIGMA traffic until the end of the war. 

However, the British had losses to contend with, too. In late 1940, the German 
auxiliary cruiser Komet (‘Schiff 45’) under Capt. Eyssen captured bigram ci¬ 
phers and code books from several ships of the Merchant Navy. The Allies did 
not find out about it until they studied the German archives after the war. 

11.1.12 Bagatelles. Even the smallest details can betray information of 
great significance. In August 1941 the German submarine U-570 fell into 
British hands off the coast of Iceland, almost without a scratch. The wooden 
box for the ENIGMA was empty, but there was a slot for a fourth rotor. 
That was confirmation of what they already suspected from references to the 
4-rotor ENIGMA in manuals that had been captured, that the introduction 
of this version was imminent. It is such a wealth of minor details which weave 
the tapestry that keeps cryptanalysis going. Every interruption in the thread 
is a setback to decryption, for a shorter or longer time, possibly for ever. 
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The [ENIGMA] machine, as it was, 
would have been impregnable, 
if it had been used properly. 

Gordon Welchman 1982 

No cipher machine alone can do its job properly, 
if used carelessly. During World War II, 
carelessness abounded, particularly on the Axis side. 

Cipher A. Deavours , Louis Kruh 1985 

Over the centuries cryptology has collected a treasury of experiences—even 
the open literature shows this. These experiences, normally scattered, can 
be concentrated into a few maxims for cryptographic work, in particular 
for defense against unauthorized decryption. Especially now, in the era of 
computers, these maxims have importance for a wider circle than ever. 

11.2.1 The native abilities of man include confidence, fortitude, and with¬ 
standing danger. These positive qualities have the side effect that man is 
inclined to overrate his abilities. But 

Maxim No. 1: One should not underrate the adversary. 

As we have seen, the German authorities did not suspect that the Allies could 
have penetrated their cryptosystems. There were isolated cases 3 of appre¬ 
hension, but the official opinion was held stubbornly. The Kriegsmarine was 
the only arm of the service that improved its crypto machines decisively by 
a transition on February 1, 1942 from the 3-rotor ENIGMA to the 4-rotor 
ENIGMA, and by providing since 1938/1939 altogether eight rotors, com¬ 
pared to five for the Army and Air Force ENIGMAs. Thus it accepted that 
it was worthwhile to do more for its security. The German Generalstab was 
confident of victory and was intellectually not prepared to take warnings seri¬ 
ous. But even in the Navy there was a deep-rooted belief in the unbreakability 
of the ENIGMA. For example, still in 1970, Kapitan zur See [Commodore] 
Heinz Bonatz, once Staff Officer in the B-Dienst of the Kriegsmarine , pub¬ 
lished in a book his naive belief that the Allies, although they had seized 
some ENIGMAs, had not broken the German cryptosystem—at worst, the 
Allies would have been able to read German signals for a limited time. 

It was not only the Germans who were unsuspecting. The US cryptolo- 
gists, too, could not imagine that Rohrbach had broken their M-138-A. And 
the Signal Security Agency of the US Army had tried to break their new 
M-134-C (SIGABA), a rotor machine, without success. What would that 


3 Already in 1930, First Lieutenant Henno Lucan, Second Signals Officer of the battleship 
Elsafi, pointed out in a study a weakness of the ENIGMA G. With the introduction of 
the plugboard in the ENIGMA I, the worries seemed to be banished. 
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mean? Why couldn’t the Germans do as well as the British, who had con¬ 
quered the ENIGMA? Typically, it was Roosevelt, the intellectual among 
the Allied leaders, who always slightly distrusted the assertions of the cryp- 
tologists. Did he know better the deep-rooted human habit of ignoring the 
undesirable? Anyhow, the SIGABA was indeed unbreakable at these times. 
It took G.C.&C.S. three war years to find out that the B-Dienst of the Kriegs- 
marine did read some of their encryptions. ENIGMA decrypts gave finally 
the proof that at least Naval Cypher No. 3, since June 1941 the main crypto¬ 
system for convoy formations in the North Atlantic (German code name 
Frankfurt. ), was broken. It was replaced by Naval Cypher No. 5, and thus, 
from the middle of June 1943, as was made known after the war, the Germans 
were rather cut off from the well. What would have happened if the Germans 
had found out in the same way about the insecurity of their ENIGMAs? 

Perhaps nothing, as a particularly crass case of the permanent underrating of 
the British by Rear Admiral Eberhard Maertens and Captain Ludwig Stum- 
mel shows. In fact, in March 1942, two German auxiliary cruisers were sunk. 
Admiral Fricke requested an investigation- but no hints were found. Then, it 
happened in mid-1943: Decrypts of signals from Allied convoys showed that 
the Americans supposed there were twenty German submarines in a narrow 
map square. Indeed, the wolfpack Meise with its 18 boats was in the square. 
The Befehlshaber der Untersee-Boote, Grofladmiral Karl Donitz (1891-1980), 
ordered Maertens to investigate, as he had done in 1941 when U-570 was 
seized. “Again Maertens exculpated ENIGMA. The British U-boat situation 
reports themselves stated that the Allies’ information on submarine loca¬ 
tions was coming from direction-finding ...” (Kahn). Maertens also saved his 
head by explaining falsely that they had been located by the H2S (German 
code name Rotterdam-Gerdt), a radar bombing aid working on a wavelength 
of 9.7 centimeters, found February 2, 1943 in a British bomber shot down 
over Rotterdam. Donitz had to comply, but remained suspicious and finally 
fired Maertens after an accident around the convoy SC 127 on March 12, 1944 
was again explained by either treason or lack of cipher security. It is known 
today that poor Maertens was the victim of tricky British disinformation. 

The Russians also managed to penetrate the ENIGMA encryption. They 
raised U-250 after she was sunk in the Gulf of Finland on July 30, 1944 and 
recovered her ENIGMA. Opinion is divided on how far the Russians suc¬ 
ceeded. While in a German document from January 1943 it is stated “It is 
certainly true that in individual cases the Russians succeeded in decrypting 
ENIGMA messages,” E. E. Thomas said in 1978 that after ten years of de¬ 
tailed study he found nowhere any evidence to show that the Russians at any 
time could decrypt the German ENIGMA radio traffic. 

Whether the Soviets penetrated US cryptosystems was often debated, par¬ 
ticularly after Isaac Don Levine, the Russian-born journalist who specialized 
in Soviet affairs, became “convinced by mid-1939 from numerous conver¬ 
sations he had with General Walter Krivitsky, the defected head of Soviet 
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military intelligence for Western Europe (who committed suicide in 1941), 
that the Communist cryptanalysts were reading American codes” (Kahn). 

11.2.2 More harmless, but also more imperiled, are the inventors of crypto¬ 
systems. “Nearly every inventor of a cipher system has been convinced of the 
unsolvability of his brainchild,” writes Kahn. A rather tragicomic example 
was offered by Bazeries himself. Working for the French government and 
army, he had ruined a number of inventions by breaking test samples he 
had asked for. Finally, he invented his own system and promptly dubbed 
it absolutely secure. The Marquis cle Viaris, whose invention Bazeries had 
smashed a short while before, took revenge. He even invented a method 
of cryptanalysis (Sect. 14.3) applicable for a wide class of instruments, from 
Jefferson and Bazeries to M-94 and M-138-A, all using families of unrelated 
alphabets. Here we are led to Kerckhoffs’ maxim: 

Maxim No. 2: Only a cryptanalyst, if anybody, can judge the 
security of a cryptosystem. 

This knowledge can be found with Giambattista Della Porta, and was for¬ 
mulated by Kerckhoffs in 1883. He criticized judging the encryption security 
of a method by counting how many centuries it would take to exhaust all 
possible combinations. Indeed, such counts of combinatorial complexity can 
only give a bound for the effort necessary in the worst case, for the crudest of 
all cryptanalytic methods, exhaustive search, also called ‘brute force attack’. 
Everywhere in the civilized world therefore the governmental services (and 
some non-governmental ones) have the double duty to design secure crypto¬ 
systems and to break allegedly secure ones. “With code breakers and code 
makers all in the same agency, NSA has more expertise in cryptography than 
any other entity in the country, public or private,” wrote Stewart A. Baker, 
not without pride. He is a famous lawyer, who was for a few years the top 
lawyer at the National Security Agency. His praise would sound even better 
from a neutral source. 

11.2.3 Kerckhoffs was one of the first to deal with cryptography from a 
practical point of view. In discussing questions of ease of handling (to be 
treated later) he wrote: “It is well to distinguish between a cryptosystem 
intended for a brief exchange of letters between a few isolated people and a 
method of cryptography designed to regulate for an unlimited time the corre¬ 
spondence between different army commanders”. He distinguished between 
the cryptosystem as a class of methods (French systeme) and the key in the 
narrower sense and postulated, as mentioned above, “// faut qu’il puisse [le 
systeme} sans inconvenient tomber entre les mains de Vennemi.'" [No incon¬ 
venience should occur if the cryptosystem falls into the hands of the enemy.] 
This brought Shannon to formulate more precisely: 

Maxim No. 3: In judging the encryption security of a class of 
methods, one has to take into account that the adversary knows the 
class of methods (“The enemy knows the system being used”, Shannon). 
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Otto J. Horak expressed it this way: “Security of a weak cipher method is 
not increased by trying to keep it secret”. 

For practical reasons, in certain situations certain methods are used prefer¬ 
entially, others not at all. In particular, the ingrained conservatism of the 
established apparatus creates certain preferences, which cannot be hidden 
from the adversary (‘encryption philosophy’). Moreover, a rough differen¬ 
tiation, like one between transposition, monoalphabetic and polyalphabetic 
encryption, is possible on the basis of simple tests. There are also rules 
of thumb, like Sacco’s criterium that a short cryptotext of not more than, 
say, 200 characters embracing all characters of the alphabet is most likely 
polyalphabetically encrypted. 

Machines and other devices, including encryption documents, can fall in com¬ 
bat into the hands of the enemy or can be stolen. This includes machines like 
the ENIGMA. Following Kerckhoffs’ doctrine strictly, the ENIGMA should 
have been extended at the beginning of the Second World War in one big 
step to a 5-rotor machine; the rotor position ( Walzenlage ) should have been 
changed from the first day every 6 hours (not merely three times a day from 
1942 on); and every three months the rotor set should have been exchanged 
completely. Admittedly, this would not have been easy, in view of the tens of 
thousands of ENIGMAs, but it would have been appropriate in retrospect. 
But, as Kahn wrote, “the Germans had no monopoly on cryptographic fail¬ 
ure. In this respect the British were just as illogical as the Germans.” And 
the Americans were illogical, too. Their cipher machine M-209, constructed 
by Hagelin and built under license, was considerably less secure than the 
ENIGMA and was also used by the Italian navy (C-38m), an Axis partner. 
No wonder the Germans in North Africa in 1942 and 1943 often knew the 
goals and times of American attacks. And the British, who could solve the 
C-38m too, knew all they needed about the supply situation of Field Marshal 
Erwin Rommel. 

11.2.4 The desire of the cryptographer not to make it too easy for the ad¬ 
versary leads to the introduction of complications of known methods. The 
composition of methods (Chapter 9) has long been used for this purpose, 
mainly the combination of essentially different methods, like transposition 
of a monoalphabetic substitution or superencryption of code by polyalpha¬ 
betic encryption. Specific cryptanalytic methods, however, are frequently 
insensitive to such complications. At best nothing is gained, at worst the 
combination offers an unforeseen entry. According to Givierge (1924): 

Maxim No. 4: Superficial complications can be illusory, for they 
can provide the cryptographer with a false sense of security. 

In a typical case, someone excludes with the very best intention, but quite 
unnecessarily, the identity as encryption step in a VIGENERE, under the 
impression that no letter should be left untouched, and thus no letter may 
represent itself. But this property allows one to determine for a sufficiently 
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long probable word a few positions where it could be found (Chapter 14). 
The same property is shared by cryptosystems with monocyclic alphabets, 
all cylinder devices from Jefferson and Bazeries to the M-94, and all strip 
devices from Hitt to the M-138-A. Moreover, all cryptosystems with proper¬ 
ly self-reciprocal alphabets have the property too; including the ENIGMA, 
thanks to the invention of the reflecting rotor, which was a masterpiece of 
complication illusoire. To this, Welchman remarked “It would also have been 
possible, though more difficult, to have designed an Enigma-like machine 
with the self-encipherment feature, which would have knocked out much of 
our methodology, including ‘females’ [Sect. 19.6.2.1].” 

11.2.5 Finally, the last and perhaps the most important point is human 
weakness. The encryption security is no better than the crypto clerk. The 
unauthorized decryptor feeds on the faults mentioned at the beginning of this 
chapter. Rohrbach’s advice was: 

Maxim No. 5: In judging the encryption security of a class of 
methods, cryptographic faults and other infringements of security 
discipline are to be taken into account. 

First of all, there are the so-called compromises , i.e., exposures of the key: 
plaintext-cryptotext compromise: repetition of the transmission in clear; 
plaintext-plaintext compromise of the key: transmission of two different 
plaintexts, encrypted with the same key text: transmission of two ‘isologs’; 
cryptotext-cryptotext compromise of the keys (‘reencipherment’,‘reencode- 
ment’): transmission of two ‘isomorphs’: the same plaintext, encrypted with 
two different key texts. In particular, key nets invite this compromise. 
Next, there are the classical faults enabling a ‘probable word’ attack: 

the frequent use of stereotype words and phrases (which flourish not only 
in diplomatic and military language), 

the use of a common word for a sudden or unforeseen event, 
the use of short passwords and keys that can easily be guessed. 

Moreover, there are the elementary rules of a good cryptographic language: 
not to use double letters and frequent letter combinations like /ch/ and /qu/ , 
to suppress punctuation marks and in particular to suppress the word spacing, 
to use homophones and nulls prophylactic ally against probable word attacks. 
Plaintext prepared optimally for encryption is orthographically wrong, lin¬ 
guistically meager, and stylistically horrible. Which commanding general 
would like to phrase an order in this way, which ambassador would send such 
a report to the head of his government? The answer is simple: they should 
not do it themselves, but their crypto officers should have to do it for them. 
Both Roosevelt and Churchill complied in the Second World War with the 
needs of crypto security. But arrogant Murphy did not. 

In addition, ambassadors and generals are normally disinclined to take the 
time to supervise their crypto clerks; indeed most of them do not understand 



11.3 Shannon’s Yardsticks 225 


their needs and are cryptologically ignorant. When Wheatstone invented a 
special bigram substitution that was later called PLAYFAIR (Sect. 4.2.1), he 
could not overcome the Foreign Office’s dislike of complicated encryption. 
Napoleon’s generals (using a PORTA encryption) encrypted their messages 
only partly, and so did even in 1916 the Italians at the Isonzo battle. 

An important principle for communication services is therefore that monitor¬ 
ing and surveillance of their own units is at least as important as listening to 
the adversary’s. To this, Erich Huttenhain remarked: “ Ein Verbiindeter, der 
keine sicheren Chiffrierungen verwendet, stellt ein potentielles Risiko dar.” 
[An ally who does not use secure cryptography represents a potential risk.] 

It is frequently said that a cryptographer’s error is the cryptanalyst’s only 
hope. This hope is justified: there is always nervous stress for the crypto clerk 
in diplomatic and military service and encryption errors are likely to happen. 
The more complicated the method, the more mutilated will be the plaintext 
that is eventually decrypted. Under pressure of time, the dangerous repeti¬ 
tion of a message without careful paraphrasing may then seem unavoidable. 
Givierge’s advice was: Chiffrez bien, ou ne chiffrez pas. 

The good cryptologist knows that he cannot rely on anything, not even on 
the adversary continuing his mistakes. He is particularly critical about his 
own possible mistakes. Surveillance of one’s own encryption habits by an 
advocatus diaboli is absolutely necessary, as the experiences of the Germans 
in the Second World War showed only too clearly. Sir Stuart Milner-Barry 
wrote “Had it not been for human error, compounded by a single design 
quirk, the Enigma was intrinsically a perfectly secure machine.” 

The design quirk, the seemingly clever idea (7.3.2), was the properly self¬ 
reciprocal character of the enciphering caused by the introduction of the 
reflector. For a facilitation of the operation a high price was paid by allowing 
a dangerous encroachment. 

11.3 Shannon’s Yardsticks 

If somebody is willing to follow the advice given so far, there remains the 
question of which method to take. The answer depends on the one side 
on the degree of security desired, on the other side on the effort invested. 
Claude E. Shannon (1916-2001) listed 4 five yardsticks for measuring a class 
of cryptographic methods: 

(1) Degree of required How much does the adversary 

encryption security gain from receiving a 

certain amount of material ? 

(2) Key length How short is the key, 

how simple is its manipulation? 

4 Claude E. Shannon, A Mathematical Theory of Cryptography. Internal Report, Septem¬ 
ber 1, 1945. Published in: Communication Theory of Secrecy Systems. Bell System 
Technical Journal 28, 656-715 (October 1949). 
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(3) Practical execution of 

How much work 

encryption and decryption 

is necessary? 

(4) Inflation 

How much longer than plaintext 

of cryptotext 

is the cryptotext ? 

(5) Spreading of 

How far do 

encryption errors 

encryption errors spread? 


These yardsticks are contradictory to the extent that no cryptosystem is 
known (and presumably none can exist logically) that fulfills the maximal 
requirements in all points. On the other hand, no point can be absolutely 
ignored. 

If point (1) is dropped completely, then even plaintext is acceptable. If 
point (2) is dropped completely, then an individual, random, one-time key 
is acceptable. If points (3) and (4) are dropped completely, then there exist 
exotic cryptosystems that fulfill all other points optimally. If point (5) is 
dropped completely, then methods performing a thorough amalgamation can 
optimally approximate all other points. 

Modern cryptography tends, depending on the situation, to use individual 
keys (which require uninterrupted and secure key distribution) or amalgama¬ 
tion methods (which require noise-free, i.e., error-correcting, communication 
channels). 

In situations of utmost secrecy, say between heads of states in emergency sit¬ 
uations, the use of individual keys is quite normal, since there are usually not 
very many messages. It may be appropriate even in the case of heavy traffic. 
Frederick W. Winterbotham, responsible for the security of the material that 
came from the B. P. decrypts of the German ENIGMA and SZ42 radio traffic 
and was distributed under the cover name BONIFACE, later ULTRA, to the 
field units, insisted that it was encrypted for this purpose with an individual 
key. This shows on the one hand how priceless the secret material was, in 
view of the trouble connected with the use of individual keys, and on the 
other hand how safe the British rated individual keys, certainly rightfully so. 
Did any German officer have a chance to impose such strong regulations? 

In the commercial field, with DES an amalgamation method has been in use 
for more than two decades now. The continuing criticism of the security of 
the present de facto standard would simply be mollified if the key length, 
which many consider to be too short, were increased. 

11.4 Cryptology and Human Rights 

Since cryptographic methods are in use, even amateurs try to break them. 
Today, an amateur with access even to a middle-sized computer will find 
it difficult to penetrate an encryption that satisfies professional standards. 
The National Security Agency (NSA) of the USA, however, wishes to retain 
a surveillance capability over any commercial message channel that comes 
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under suspicion. It can be expected that the US Government will not allow 
the intelligence service of a potential adversary—there are still some—to 
build up a communication network under the cover of a private commercial 
undertaking. The times are over when Henry L. Stimson, Secretary of State 
of President Herbert Hoover, could send the Black Chamber of the State 
Department to the desert (1929 !) and then justify this in his autobiography 
(1948) with the reason “Gentlemen do not read each other’s mail”. Not even 
President Carter showed such moral scruples. Or does this show that the 
Americans under Carter did not succeed in reading Russian traffic? The end 
of the Cold War means only a reduction and not a cessation of the latent 
danger of being spied on. 

11.4.1 The conflict between the state and the citizen. But cryptology 
is not only an issue concerning the diplomatic and military authorities of 
different states. One should not forget that the permanent conflict of interests 
between the citizen or the individual and the state representing society at 
large is affected by cryptology. On the one side there is the undeniable right 
of the citizen (or of a corporation) to protect his or her private sphere (or 
its commercial interests) by efficient cryptosystems, on the other side there 
is the constitutional duty of the state to protect its internal and external 
security, which may require penetration of encrypted messages for intelligence 
purposes. 

The position of the state was expressed by Charles A. Hawkins, Acting As¬ 
sistant Secretary of Defense, USA on May 3, 1993, as follows: “The law 
enforcement and national security communications argue that if the public’s 
right to privacy prevails and free use of cryptography is allowed, criminals 
and spies will avoid wire taps and other intercepts.” The privacy of letters 
is not absolute even in civilized countries, and in cases that are regulated by 
laws it can be suspended for the benefit of the state—but not for the benefit 
of private persons. Encrypted messages are no exception- just the use of 
cryptography creates a certain initial suspicion. 

On the other side, precisely in the USA where most citizens see possession 
of firearms as their constitutional right, the possession of the crypto weapon 
is also not seen to be a state monopoly. Europe, with its somewhat different 
history, does not go so far in this respect. 

Whitfield Diffie distilled it to a short formula: “... an individual’s privacy as 
opposed to Government secrecy”. In Europe there is reason enough to insist 
on freedom from the authoritarian state. Thus, there is a need to find within 
the framework of each political constitution a means to regulate governmental 
cryptanalysis; a borderline is to be defined. This is already required by the 
existing legal framework. Strangely, the larger countries have more difficulties 
here in achieving results than the smaller ones; Austria, for example, being 
more advanced than Germany. 
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A solution is also necessary in the interest of world trade. In the USA, the 
rule for trading cryptological equipment with foreign partners is: “Encryption 
for the purpose of message authentication is widely allowed, whereas encryp¬ 
tion for the purpose of keeping information private raises eyebrows” (David 
S. Bernstein). As a case in point, Philip R. Zimmermann, according to his 
lawyer, was in 1994 facing a charge for violating the International Traffic 
in Arms Regulations, because he fed into the Internet and thus made freely 
available the cryptosystem PGP (Pretty Good Privacy, Sect. 9.6.6), which 
counts as war material (‘cryptographic devices, as well as classified and un¬ 
classified data related to cryptographic devices’, Category XHI). The charge 
was dropped in 1996, but the situation is unsatisfactory. 

11.4.2 Solution schemes. To regulate the conflict between the protection 
of the private sphere of the law-abiding citizen, guaranteeing the confiden¬ 
tiality of his or her messages on the one side, and on the other the fulfillment 
of the functions of the state, several schemes have been drawn up: 

(1) A limitation of the use of cryptosystems in the civilian domain by a 
requirement to seek official approval, either in individual cases or for 
types of usage, imposed upon commercial vendors (the inhibition of cer¬ 
tain methods alone, except the use of individual keys, is not sufficient, 
since it invites circumvention). 

(2a) A restriction of encryption security by regulating the availability of 
suitable cryptosystems in the civilian domain. The agency that makes 
the cryptosystems available can at the same time give the citizen a 
cryptanalytic guarantee and thus can increase the incentive for volun¬ 
tary conformity (a commercial vendor may serve as market leader with 
state support). 

(2b) Like (2a), but in conjunction with inhibition of the use of other crypto¬ 
systems in the civilian domain. 

(3) An escrow system, requiring the deposition of the complete data for 
each cryptosystem used in the civilian domain, the escrow agency being 
independent and required to maintain confidentiality. 

Further proposals may come up, as well as mixtures between the ones listed 
above. It is to be expected that different democratic states will come to dif¬ 
ferent solutions within the scope of their sovereignty. In France, for example, 
a solution along the lines of (1) which could be considered undemocratic is 
already established, and the Netherlands flirted for a while with such a regu¬ 
lation. In January 1999, the French Government lifted the obligation, which 
was disobeyed anyway. In Germany, there has been for quite some time a 
tendency toward a solution like (2a), with a recently created Bundesamt fur 
Sicherheit in der Informationstechnik (BSI), subordinate to the Ministry of 
the Interior; one might guess that it could develop into a solution like (2b). 
This liberal fundamental position was in June 1999 confirmed by the new 
Federal Cabinet. It is not yet apparent what solution the United Kingdom 
with its ‘Official Secrets Act’ will adopt. In the USA, in 1993, a solution 
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along the lines of (3) was advocated by the Clinton administration (a key 
escrow system 5 , see below). It caused loud protest, and a modification in the 
direction of (2a) with a kind of voluntary submission was still under discus¬ 
sion in 1999. For the European Union, insofar as it legislates on this question 
at all, neither (1) nor (3) are feasible options. 

Furthermore, it can be imagined what such a disorder of different regulations 
means for international commercial vendors. Trade in cryptographic devices 
crossing international borders is already difficult enough: “International use 
of encryption plunges the user headfirst into a legal morass of import, ex¬ 
port and privacy regulations that are often obscure and sometimes contradic¬ 
tory” (David S. Bernstein). International travel with a laptop computer was 
potentially punishable. Martha Harris, Deputy Assistant Secretary of State 
for Political-Military Affairs, stated on February 4, 1994: “We will no longer 
require that US citizens obtain an export license prior to taking encryption 
products out of the US temporarily for their own personal use. In the past, 
this requirement caused delays and inconvenience for business travellers.” 

11.4.3 SKIPJACK. The Escrowed Encryption Standard concerns the 
encryption algorithm SKIPJACK (Sect. 9.6.5) within the CLIPPER chip. To 
be stored in escrow by two separate escrow agents are two ‘chip unique key 
components’. These components are released to an authorized government 
official only in conjunction with authorized electronic surveillance and only 
in accordance with procedures issued and approved by the Attorney General. 
The key components are needed to construct by addition modulo 2 the ‘chip 
unique key’. An 80-bit message setting (‘session key’) KS, negotiated between 
partners or distributed according to a security device, serves as in DES to 
form an initialization block Cq for the encryption process which can be used 
monoalphabetically in a mode corresponding to the Electronic Code Book or 
chained in an autokey way in a mode corresponding to Cipher Block Chaining 
(Sect. 9.6.3). Most important, the chip contains an emergency trapdoor, the 
‘Law Enforcement Access Field’ LEAF, where the current session key is 
stored in encrypted form; by using the chip unique key the session key is 
obtained. Thus, following a court order, a government-controlled decrypt 
device can survey the channel. Every time a new conversation starts with a 
new session key, the decrypt device will be able to extract and decrypt the 
session key from the LEAF. Except for an initial delay in getting the keys, 
intercepted communications can be decrypted in real time for the duration 
of the surveillance. Thus, even voice communication in digitized form can be 
surveyed. 

Unlike DES, the SKIPJACK algorithm itself was kept secret by the authori¬ 
ties “to protect the LEAF” even though security against a cryptanalytic at¬ 
tack as such does not require the algorithm to be kept secret. Moreover, the 


5 Escrowed Encryption Standard (EES), Federal Information Processing Standards Pub¬ 
lication (FIPS PUB) 185, Feb. 9, 1994. 
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SKIPJACK algorithm was classified as SECRET — NOT RELEASABLE 
TO FOREIGN NATIONALS. It therefore was not suitable as an interna¬ 
tional de facto standard. In 1998, these restrictions were finally dropped. 

In fact, the ‘Law Enforcement Access Field’ trapdoor is rather primitive. 
It is openly accessible along the transmission line so that unauthorized de- 
cryptors can give it their best efforts. Dorothy E. Denning has studied some 
of the practical questions that arise. Silvio Micali (‘Fair Cryptosystems’, 
US Patent 5 276 737, January 4, 1994) has proposed improved cryptosystems 
that cannot be misused either by criminals or by state officials. Anyhow, by 
the year 2003 SKIPJACK seemed to have been a failure. 

For real-time, interactive communications, Thomas Beth and others proposed 
in 1994 to make the investigative law enforcement agency an active partici¬ 
pant in the protocol used by the sender and receiver to establish the session 
key, in such a way that the two parties cannot detect the participation of the 
agency. The novelty of this approach, however, lies in the possibility that in 
the case of noninterception the network provider can prove this fact. 

11.4.4 State intervention. Mistrust felt by some citizens (or legal corpo¬ 
rations) against state power is not diminished by some recent experiences; for 
example, in the USA with actual or alleged encroachments of the National 
Security Agency into the development of encryption algorithms like DES. 
It was said that giving NS A responsibility for approving and recommend¬ 
ing encryption algorithms is “like putting the fox in charge of guarding the 
hen house.” In 1957, there were also reports of close contacts between William 

F. Friedman, the grand old man of American mili¬ 
tary cryptology, and Boris Hagelin from Crypto AG, 
good friends in wartime, which aroused suspicions. 
Thus, a third party is mentioned, who stands outside 
the philosophy of balancing constitutional rights on 
privacy and state rights on law enforcement but can¬ 
not be overlooked in view of his economic impor¬ 
tance: the commercial vendor. It is in the interest 
of this party to have good relations with both the 
citizen as potential client and the state as supervisor 
(and sometimes client, too). At best, the vendor is 
an honest broker between the other two parties. 

However, this role is impeded by a certain dishonesty the state authorities 
force upon commercial vendors by making injunctions upon their trading 
with foreign partners which do not hold for their inland trade with the state 
itself. This hardly accords with the rules of global free trade. 

11.4.5 The balance: security against freedom. One cannot help fee¬ 
ling that cryptology at the beginning of the third millennium is still kept 
within a Black Chamber. The state authorities are to that extent impene¬ 
trable and can cling to their last shreds of omnipotence. But there is a firm 
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foundation of rights the state authorities cannot give up, for there has to be a 
balance of power. Not only the sole remaining superpower, the USA, but also 
the smaller powers in Europe will find it necessary that civilian and commer¬ 
cial cryptography and cryptanalysis come to an agreement with the state. 
The United Kingdom, with its long tradition of democracy yet its hitherto 
very tight security in matters of cryptanalysis, adheres to the motto that he 
who does not protect his own security endangers the security of his friends. 
But the claims of the civilian and commercial world are to be taken seriously. 
It would hardly be politically acceptable if in the USA patent applications 
for cryptosystems were blocked under the authority of the Invention Secrecy 
Act of 1940 or the National Security Act of 1947. Likewise, sensitivity about 
the protection of private or personal data is a political factor that cannot be 
overlooked. In the USA, policy on domestic controls is still inconclusive, as 
was shown by the furor over FID NET (Federal Intrusion Detection Network) 
and CESA (Cyberspace Electronic Security Act) in 1999. 

11.4.6 Liberalization. It was pushed in 1997 by international organiza¬ 
tions like the OECD and EU. In December 1998, in the scope of the Wasse- 
naar Arrangement on Export Control for Conventional Arms and Dual-Use 
Goods and Technologies, comprising 28 nations, some guidelines for a rather 
liberal export control of cryptographic products were achieved. In particu¬ 
lar, exports of 64-bit encryption algorithms were decontrolled by the member 
countries of the Wassenaar Arrangement. 

Then, on September 16, 1999, the Clinton administration announced its in¬ 
tention of further liberalization, allowing “the export and reexport of any en¬ 
cryption commodity or software to individuals, commercial firms, and other 
non-government end-users in all destinations”. The new policy will simplify 
US encryption export rules and rests on the following three principles: a 
technical review of encryption products in advance of sale, a streamlined 
post-export reporting system, and a process that permits the government to 
review exports of strong encryption to foreign governments. This relieves the 
feelings of the US Commerce Department and of US business. “Restrictions 
on terrorist-supporting states, their nationals and other sanctioned entities 
are not changed by this rule.” This may console the US Department of Jus¬ 
tice. How necessary it is was demonstrated by the September 11, 2001 terror¬ 
ist attack on the United States of America. Thus, the Bush administration 
is unlikely to support further liberalization. 

Altogether, the US government expects that “the full range of national inter¬ 
ests continue to be served by this new policy: supporting law enforcement and 
national security, protecting privacy, and promoting electronic commerce”. 
And on January 12, 2000 the Bureau of Export Administration (BXA) pub¬ 
lished the new liberal regulations for software export, which continue to hold. 
Software houses can now transmit freely over the frontier source code for in¬ 
ternal use, merely a copy is to be sent to BXA. 


232 11 Encryption Security 


11.4.7 Prospects. Still, it is to be hoped that in the long run there will 
be a victory of common sense. Above all, the aim of scientific work on strong 
cryptosystems for civilian and commercial channels is more than ever 

to find lower bounds for the complexity of unauthorized decryption using 
a precisely defined type of computer, under realistic assumptions on the 
lack of discipline among non-professional users. 

It is a worthwhile task to give the user of a cryptosystem a guaranteed amount 
of security. This includes the need for open source code of the cryptosystem, 
since every cryptosystem with an unpublished algorithm may contain un¬ 
pleasant surprises. 




The disk of Phaistos, a Cretan-Minoan clay disk of about 
160 mm diameter from the 17th century B.C. (the plate 
shows the side A), is covered with graphemes with clear 
word spacing. A decryption that is generally accepted does 
not seem to exist. “The torn and short text does not reveal 
its meaning without further clues” (J.Friedrichs). 


Plate A 




Plate B Two cipher disks, presumably from the 18th/19th century. 

The upper disk is in the style of a nomenclator. On the 
plaintext side it contains both alphabet letters and several 
syllables and frequently occurring words; on the cryptotext 
side it uses two-place decimal numbers. 




The ‘Cryptograph’ of Wheatstone, a device in the form of Plate C 

a clock, was shown for the first time at the Paris World Ex¬ 
hibition in 1867. It is a polyalphabetic cipher device: the 
hand is moved clockwise each time to the next cleartext let¬ 
ter, which slowly moves the disk with the mixed cryptotext 
alphabet. 





Plate D The U.S. Army Signal Corps Cipher Device M-94 in cylin¬ 

drical form with 25 aluminum disks of 35 mm diameter, each 
one with a mixed alphabet of 26 letters engraved on the rim, 
goes back to the models of Jefferson and Bazeries. Introdu¬ 
ced in 1922 under the influence of W. F. Friedman for lower- 
level military communications, it was in wide use until 1942. 





Strip cipher M-138-T4 used by the U.S. Army and U.S. Navy Plate E 

in the Second World War, based on a proposal by Parker 

Hitt in 1914. The 25 removable paper strips were numbered 

and used in prearranged order. The encryption was crypto- 

logically equivalent to the M-94. 




























































































Plate F 


The cipher machine ‘Kryha’ was invented by Alexander von 
Kryha, Berlin-Charlottenburg, in about 1926. It is a poly- 
alphabetic cipher device with a fixed periodic key of length 
442. Irregular movement of the cryptotext disks is achie¬ 
ved by a wheel with a varying number of teeth. Despite its 
cryptological weakness, this neat machine sold well in many 
countries. 











The Hagelin cipher machine ‘Cryptographer’ C-36, made Plate G 

by the Aktiebolaget Cryptoteknik, Stockholm, in 1936, has 
self-reciprocal encryption by BEAUFORT encryption steps 
performed by the ‘lug cage’, an invention of Boris Hagelin. 

The irregular movement is based on the use of keying wheels 
with different graduation, namely with 17, 19, 21, 23, and 
25 teeth, which gives a key period of length 3 900 225 . For 
such a purely mechanical machine, this was a pioneering 
achievement. 





Plate H The M-209 was an improved Hagelin C-36. Under Hagelin 

license, it was manufactured by Smith-Corona for the U.S. 
Army; it had an additional keying wheel with 26 teeth which 
increased the period to 101405 850 . When the crank was 
turned, the lettered wheels moved pins and lugs that shifted 
bars in the cylindrical cage; the bars acted like cogs that 
turned a wheel to print the cipher letter on the roll of tape 
behind the knob. 











Rotor cipher machine ENIGMA, as invented by Arthur 
Scherbius in 1918, with light bulb display (‘glow lamp ma¬ 
chine’) and plugboard (in front); 4-rotor version M4 for the 
Kriegsmarine , 1944. It enciphered with 3 (out of 8 ) normal 
rotors and 1 (out of 2 ) reflecting rotors (Griechenwalzen 
/?, 7 ), the introduction of which stopped the British rea¬ 
ding German U-boat signals from February to December 
1942. 


Plate I 




Plate K ENIGMA rotors: The internal wiring has 26 electrical con¬ 

nections between the contacts on the one side and those on 
the other side. 

Above: Rotor I with visible setting ring and pegs provided 
wizh springs. 

Below: Rotor VIII with two notches. 




The British TYPEX was an improved copy of the German Plate L 

3-rotor ENIGMA; it had two extra rotors (not movable du¬ 
ring operation) that made penetration much more difficult. 

It was actively used in British communications, and also 
to help decrypt German signals after their key was broken. 

The plate shows a TYPEX Mark III Serial No. 376. 












On-line cipher teletype machine Lorenz SZ42 Schliissel- Plate N 

zusatz, made by C. Lorenz A.G., Berlin, about 1943. A 

cipher machine for teletype Baudot signals, British cover 

name ‘tunny’, it was used at the strategic level down to 

Army headquarters. Twelve keying wheels with different 

graduation, using (from left to right) 43, 47, 51, 53, 59, 37, 

61, 41, 31, 29, 26, 23 teeth, and irregularly spaced pegs, 
produce a key of very high period. Five pairs of wheels 
each control five VERNAM substitutions of the 5-bit code; 
two wheels (‘motor wheels’) serve for irregular movement 
only. The SZ40/SZ42 encryption was penetrated by the 
British due to an encryption fault on the German side and 
was then read regularly using the electronic COLOSSUS 
machines. 


Plate M The Uhr box was used to replace the steckering of the Wehr- 

macht ENIGMA plugboard by a non-reciprocal substitu¬ 
tion, which also could be changed easily by turning the knob 
(presumably every hour) selecting one out of 40 positions. 
First use by the German Air Force in July 1944, by the Ger¬ 
man Army in September 1944. Despite the extra security it 
added, the Uhr box was not widely used. 




Plate O One-time pad of Russian origin, small enough to fit in the 

palm of a hand. The typewritten numbers have figures in 
Russian style. 





Crypto board, manufactured 1996 by Crypto AG, Zug Plate P 

(Switzerland), to be used for stand-alone or networked com¬ 
puters to provide access protection, secrecy of information, 
integrity of information, and virus protection. This highly 
reliable hardware with very long mean time between failure 
can be stored without batteries. 














Plate Q CRAY-1 S (1979). CRAY Supercomputers originated from 

the famous CRAY-1, designed by Seymour Cray (1928-1996) 
and in use since 1976, when it had a market price of $ 8 mil¬ 
lion. Supercomputers contain a very large number of integra¬ 
ted circuits allowing highly parallel work, but requiring very 
compact technology. They work at extremely high speed and 
need extensive cooling. First used for cryptanalytic tasks; 
civil versions have been available under certain limitations 
since 1979. The series continued with CRAY-2, CRAY X-MP, 
CRAY Y-MP, CRAY C 90, CRAY J90 leading to CRAY T 90, 
whose configuration T932 comprises 32 processors. A massi¬ 
vely parallel line was opened by the model CRAY T3D, the 
more recent model CRAY T3E (July 1996) is liquid-cooled 
and has up to 2048 processors, using the DEC Alpha EV-5 
(211 64) chip, each one running at 600 megaflops, 1.2 teraflops 
peak performance (1998: T3E-1200E 2.4 teraflops). 












Part II: Cryptanalysis 


II ne faut alors ni se buter, 
ni se rebuter, 
et faire comme en politique: 
changer son fusil d'epaule. 
[One should neither run 
one’s head against a wall 
nor get scared away 
and should act like in politics: 
change one’s opinion.] 
Etienne Bazeries, 1901 


“Deciphering is, in my opinion, 
one of the most fascinating of arts, 
and I fear I have wasted upon it 
more time than it deserves.” 
Charles Babbage, 1864 



Charles Babbage 
( 1791 - 1871 ) 


A Masterpiece of a Multiple Cryptotext-Cryptotext-Compromise of the Keys: 

vonreichsmarschallgoeringanalleeinheitenderluftflottendreiund 
zweiundfuenfoperationadlertaginkuerzesterzeitwerdensiediebrit 
ischeairf or cevomhimmelf egenheilh.it ler 

(Tagesbefehl by Hermann Goring , August 8, 1940) 




The 

Machinery 



Cyclometer Bombe 

(Poland) (United Kingdom) 



Colossus 
(United Kingdom) 


Bazeries’ quotation warns with Gallic charm against overestimating the sys- 
tematics of the cryptanalytic methods we discuss in this second part. 1 

Apart from the simple but generally intractable method of exhaustion, these 
methods have their roots in the inherent properties of language, which are 
hard to eradicate even by the most refined encryption. For a systematic treat¬ 
ment, the invariants of cryptological methods are established and used. Both 
pattern finding and frequency analysis are based on invariants of monoalpha- 
betic (monographic or polygraphic) encryptions. But even polyalphabetic 
encryption leaves invariant a certain linguistic-statistical parameter, called 
Kappa. This allows the reduction of repeatedly used polyalphabetic encryp¬ 
tions, especially of periodic ones, to monoalphabetic encryptions. For trans¬ 
position, which is a polygraphic encryption of a very special kind, exploiting 
this specialty leads to the use of contact frequencies. 

According to William F. Friedman (who coined the term in 1920), cryptanaly¬ 
sis involves the determination of the language employed, the general crypto¬ 
system, the specific key, and the plaintext; usually in this order. Cryptanal¬ 
ysis requires applying the right means at the right place in the right way. An 
anonymous British officer expressed it in 1918 like this: 

The would-be solver will need a dogged obstinacy, which however 
must not render him incapable of discarding a supposed clue. 

Givierge expressed it drastically: 

Certains rasoirs excellents sont pourtant tout a fait dangereux 
dans les mains d'un singe. 

[Some excellent razors are after all still dangerous in the hands of an ape.] 


1 


The first systematic collection of rules of thumb for cryptanalysis was published in 1474 
in Pavia by Cicco Simonetta, secretary of the Dukes of Sforza. 
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It should be noted that as a rule active cryptanalytic attacks both against 
governmental and against commercial communication channels are punish¬ 
able, and against private communication may provoke a lawsuit for damages. 
However, since we need knowledge of cryptanalytic methods to be able to 
reflect on the secure use of cryptographic methods, in particular on avoid¬ 
ing illusory complications, we hope to be excused on scientific grounds for 
discussing cryptanalysis prophylactically. 

Frequently, cryptanalysis is not only a question of material effort, but also of 
the time available. Much news is, as the saying goes, futile as soon as it is out 
of date, and in some areas messages become old-fashioned quickly. Patrick 
Beesly (Very special intelligence, London 1977) remarked in this respect: 

It should, however, be emphasized that cryptanalysis must be swift 
to be of real operational use. 

And Friedman stated: 

The best that can be expected is that the degree of security be great 
enough to delay solution by the enemy for such a length of time that 
when the solution is finally reached, the information thus obtained 
has lost all its ... value. 

In fact, the Rasterschliissel 44 of the German Wehrmacht (Sect. 6.2.5), a hand 
cipher introduced in 1944 for the tactical level, was broken by the Allies. But 
when used without mistakes, its solution took considerable time, e.g., some of 
the 18 messages sent by the 3 rd Panzer Division on February 3,1945 were read 
23 days after transmission; all were read after 29 days. “There was no point 
in the Allies learning on February 26 that on February 3 14 000 litres of fuel 
had arrived for the 8 th Panzer Grenadier Regiment. This disappointing situ¬ 
ation prompted Nigel de Grey, B.P.’s senior administrator, to recommend the 
end of the undertaking that kept about 100 people occupied” (M. J. Cowan). 

Sometimes, solutions of cryptograms have been given which were little more 
than guesswork. The requirements for a successful reliable unauthorized de¬ 
cryption fluctuate, depending on the situation, between a rational recon¬ 
struction of 90% of the plaintext (Meyer-Matyas) and a complete disclosure 
not only of the message, but of the key, too, and of the whole cryptosystem 
(Rohr bach). 

Encryption devices and machines seem to be no longer of immediate value 
once they are out of use. Planned obsolescence (Sect. 2.1.1) is a good strata¬ 
gem—it minimizes the risk in case crypto tools are stolen or seized. The 
time scale to be applied depends very much on the genre of the messages: 
ten hours for artillery fire commands may correspond to ten years in diplo¬ 
matic telegrams. But even outdated codebooks or cipher tables are revealing. 
Practical cryptanalysis makes use of many tiny details about the adversary’s 
pecularities, habits, and preferences and records them carefully. In this sense, 
cryptanalysis feeds on the results it has already attained. Success breeds more 


success. 
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Cryptanalysis is nurtured to a good part by encryption errors and even by 
lesser mistakes of the adversary. Luigi Sacco sarcastically said: 

Les chiffreurs se chargent suffisamment d'aider I’ennemi. 

[The cipherers are sufficiently occupied to help the enemy.] 

Asymmetric cryptosystems allow a publication of the encryption keys (‘public 
key’) and indicate a liberalization of cryptography (‘public cryptography’), 
which also entails an increased public awareness of cryptanalysis generally— 
although the cryptologic services of the government agencies see this side of 
public cryptography rather reluctantly. These agencies do not see themselves 
as instruments for the education of the masses. To give an example with 
respect to the modes of operation of standardized DES, Philip Zimmermann 
reports that “... the authors of a number of [these encryption packages] say 
they’ve never heard of CBC or CFB mode. The very fact that they haven’t 
even learned enough cryptography to know these elementary concepts is not 
reassuring.” Cryptanalysis is not going to die out. 

Cryptanalysis is also already on the free market. The company Access Data 
Recovery (87 East 600 South, Orem, Utah 84058, USA)- -and this is not the 
only example—sold in 1997 for some $ 100 a program, developed by Eric 
Thompson, which penetrates into the built-in encryptions of WordPerfect, 
Lotus 1-2-3, MS Excel, Symphony, Quattro Pro, Paradox and MS Word 
and this not by exhaustive trial and error, but by genuine cryptanalytic 
methods. Some people buy it when they have forgotten their password, and 
police officers use it, too, if they want to read confiscated data. 
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Gewohnlich glaubt der Mensch, wenn er nur Worte hort, 
es miisse sich dabei dock auch was denken lassen. 

Goethe 

[Men always believe, when they hear words, there must be thought behind them, too.] 

The cardinal number of a class of methods—corresponding to the number 
of available keys—is a criterion for the combinatorial complexity of the en¬ 
cryption. As a measure of security against unauthorized decryption, it gives 
an upper bound on the work required for an exhaustive search under the 
assumption that the class of methods is known (Shannon’s maxim: “The 
enemy knows the system being used.”) 

We shall frequently make use of an improved Stirling formula 1 for n! 

n! = (n/e) n V2Tm-(l+Y^r+0(^)) = v / 2 7 re(n/e ) n+3 •(l+ I ^ 3 x + 0(4 r )) 

with the numerical values 

V2n = 2.506 628 275... , 
e = 2.718281828... , 

V / 2^e = 4.132 731353... 

and of the asymptotic formula for the base 2 logarithm of the factorial 2 
ldn! = (n+ \) (ldn - lde) + §(ld 7 r + lde + 1 ) + lde( T ^ r - 3^3 + 0 ( = r )) 
with the numerical values 

lde = 1.442 695 041... , 
i(ld 7 r + lde + l) = 2.047095586... . 

| V |, the cardinal number of the alphabet V , is abbreviated by N. 

Z = | S | denotes the cardinal number of the class of methods S. 

In the following the combinatorial complexities Z are compiled for some 
classes of methods S. Id Z, the information of the class of methods S , is 
measured in [bit]. 10 logZ is measured in [ban] = 1/ I 0 log2 [bit] s=s 3.32 [bit], 
a unit introduced by Turing, with the practical unit 1 [deciban] w 0.332 [bit]. 

1 26! = 403 291 461126 605 635 584 000 000 = 2 23 • 3 10 • 5 6 ■ 7 3 • ll 2 ■ 13 2 • 17 ■ 19 • 23 

2 Id 2 denotes the logarithm with the base 2: Ida: = In x/ In 2 = 10 log x / 10 log 2 . 
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12.1 Monoalphabetic Simple Encryptions 

Simple substitutions are monographic. Leaving homophones and nulls out of 
consideration, we can restrict our interest essentially to permutations. 

12.1.1 Simple Substitution in General (special case n = l of Sect. 12.2.1) 

12 . 1 . 1.1 (Simple substitutions, Sect. 3.2) 

Permutations V -4—>- V show the same cardinal number as one-to-one map¬ 
pings (without homophones) of V into W'- m > , independent of W and m : 


Z = N\~V2ne( — ^\ 


iV+i 


IdZ 


N+ 2 


(Id TV- 1.44) +2.05 


4.13- ( - 


AT+A 


For TV = 26 : Z « 4.03 • 10 26 , Id Z « 88.382 [bit], log Z « 266.06 [deciban] . 

12.1.1.2 (monocyclic simple substitutions, Sect. 3.2.3) 

N 

Permutations V -4—>- V with exactly one cycle, of the maximal order TV : 


Z=(N- 1)! x V2ne 
1 


TV- 1 


AT-i 


4.13 


TV — 1 


N—h 


Id z 


TV - - ) • (Id (TV - 1) - 1.44) + 2.05 


For TV = 26 : Z « 1.55-10 25 , IdZ « 83.682 [bit], log Z k, 251.91 [deciban] . 

12.1.1.3 (properly self-reciprocal simple substitutions, Sect. 3.2.1) 

2 

TV is even, TV = 2v for a properly self-reciprocal permutation V -4 —>- V . 


TVV 


Z = (N — 1)!! = (TV - 1)(TV - 3) (TV -5)... - 5- 3- lx\/2-( — ) 

\ e J 

TV 1 

Id Z~-- (Id TV — 1.44) + - 

For TV = 26 : Z « 7.91 • 10 12 , Id Z « 42.846 [bit], log Z « 128.98 [deciban] . 


12.1.2 Decimated Alphabets (special case n = 1 of Sect. 12.2.2) 
Assuming a linear cyclic quasiordering of the alphabet, Sinkov’s ‘decimation 
by q’ (Sect.5.6) . 

Z = ip(N) , where tp is the Euler totient function (Sect. 5.6) 

Id Z = Id N + X^i=ild p(Pn> 1) ( see Sect. 12.2.2) 

For N = 26 : Z = 12 (Sect. 5.5, Table lb), 

Id Z « 3.58 [bit], log Z ss 10.79 [deciban] . 
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12.1.3 CAESAR Addition (special case n = 1 of Sect. 12.2.3) 

CAESAR addition V -4 + > - V , a shift, is the monoalphabetic special case of 
a VIGENERE substitution (Sect. 7.4.1). 

Z = N 
IdZ = Id N 

For A = 26 : Z = 26 , IdZ « 4.70 [bit], logZ « 14.15 [deciban] . 

12.2 Monoalphabetic Polygraphic Encryptions 

The combinatorial complexity of polygraphic substitutions depends on the 
encryption width n. 

12.2.1 Polygraphic Substitution in General 

Permutations V n -4—>- V n show the same cardinal number as one-to-one 
mappings of V n into independent of W and to : 

z = ( N n y. 

Id Z X ^ (n • Id A - 1.44) + 2.05 

For A = 26 : Z = (26™)! , Id Z « (26 n + ±)(4.70 n - 1.44) + 2.05 . 

Digraphic substitutions: ldZ« 5.39-10 3 [bit], log Zm 1.62-10 4 [deciban]; 

Trigraphic substitutions: Id Zk, 2.22-10 5 [bit], log Zk, 6.70-10 5 [deciban]; 

Tetragraphic substitutions: Id Zk. 7.93-10 6 [bit], log Zk. 2.39-10 7 [deciban]. 

PLAYFAIR substitutions show the same cardinal number as monocyclic 
simple substitutions with N= 25 : 

Z = 25!/(5-5) « 6.20-10 23 ,ld Z k. 79.038 [bit], log Z k. 237.93 [deciban] . 

12.2.2 Polygraphic Homogeneous Linear Substitution 
(HILL Transformation) 

Assuming a linear cyclic quasiordering of the alphabet, from Sect. 5.2.3 
Z = A" 2 • p(N, n) , where for N = p^ 2 ■ ■ ■ p s k k 

p{N,n ) = p(p 1 ,n)p(p 2 ,n)... p(p k ,n). 

Id Z = n 2 Id A + X^ =1 ld p(p M , n) • 

For large n approximative values for p(p,n ) in Sect. 5.2.3; 
for large n and not too small p with Id e ss 1.44, 

Id p(p,n) « 1.44 / (| -p) . 

For A = 26 and large n: p{2,n) ~ 0.289 and p(13,n) « 0.917 , thus 

p(26,n) ~ 0.289 • 0.917 = 0.265 ; altogether: 

For A = 26 and large n : 

Z « 0.265-26" 2 , Id Zn 4.70 n 2 -1.92 [bit], log Z k. 14.15 n 2 -5.78 [deciban]. 
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Z 

Id Z 

12.2.1 Substitution 
in general 

(26™)! 

(26™ + |) (4.70 n — 1.44) + 2.05 

12.2.2 HILL 

transformation 

0.265 • 26™ 2 

4.70 n 2 - 1.916 

12.2.3 CAESAR addition 

26™ 

4.70 n 

12.2.4 Transposition 

n\ 

(n + |) (Id n- 1.44) +2.05 


Table 4. Complexity of monoalphabetic (polygraphic) encryption steps 
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Fig. 94. Combinatorial complexity of polygraphic substitutions 
of width n , for N = 26 


12.2.3 Polygraphic Translation (Polygraphic CAESAR Addition) 

Polygraphic CAESAR addition V n - < + > - V n with encryption width n, a 
shift, is a special case of inhomogeneous linear substitution, where T is the 
identity matrix. 

Z = N n , Id Z = n Id N 

For N = 26 : Z = 26™ , Id Z « 4.70 • n [bit], log Z « 14.15 • n [deciban] . 
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Id Z 

n = 1 

n = 4 

n= 16 

n = 64 

n = 256 

8.84- 10 1 

7.93 • 10 6 

3.22 • 10 24 

1.08 • 10 93 

2.07 • 10 365 

3.58 

73.29 

1 .20-10 3 

1.93 • 10 4 

3.08 • 10 5 

4.70 

18.80 

75.21 

300.83 

1203.31 


4.58 

44.25 

296.00 

1684.00 


for N = 26 depending on the encryption width n 


12.2.4 Transposition 

Transpositions of width n are subsumed (somewhat surprisingly) under 
linear substitutions, since they are linear substitutions whose matrix is a 
permutation matrix. The complexity is therefore independent of N. 

Z = n\ 

Id Z= (n + \) (Id n - 1.44) + 2.05 

12.2.5 Summary on Monoalphabetic Substitutions 

The combinatorial complexities of monoalphabetic substitutions are tabu¬ 
lated in Table 4 and shown graphically in Figure 94. 

Note that the complexity of transposition (12.2.4) surpasses the complexity 
of polygraphic CAESAR addition (12.2.3) at about n = N ■ e (for N = 26 
just at n = 68 with Id Z ss 320.2 [bit] ). 

For N = 26 , transposition reaches at n = 26 simple (monogram) substitution; 
homogeneous linear substitution with Id Z m 4.70 n 2 — 1.916 surpasses 
at n= 5 simple (monographic) substitution with Id Z ss 88.38 [bit], 
at n= 34 digraphic substitution with Id Z ss 5.386 • 10 3 [bit]. 

Polygraphic CAESAR addition (12.2.3) is surpassed at n = 2 by polygraphic 
homogeneous linear substitution ( 12 . 2 . 2 ) . 

Note that a block transposition of width n is polygraphic, but also mono- 
alphabetic—it is obfuscating to call n a ‘period’. 

12.3 Polyalphabetic Encryptions 

The combinatorial complexity of the most general polyalphabetic (periodic) 
encryption with d unrelated alphabets is the product of the complexities of 
the different alphabets. For the case of d related alphabets the complexity 
is correspondingly smaller. 
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Z 

Id Z 

12.3.1 PERMUTE substitution 

{26\) d 

88.38 • d 

12.3.2 MULTIPLEX substitution 

(25!) d 

83.68 • d 

12.3.3 ALBERTI substitution 

26! 26 d 1 

4.70 • d + 83.68 

12.3.4 VIGENERE substitution 

26 d 

4.70 • d 


Table 5. Complexity of polyalphabetic (monographic) cryptosystems 


12.3.1 PERMUTE Encryption with d Alphabets 

Z= ( N\) d 

Id Z = d ■ {(N + \) (Id N - 1.44) + 2.05) 

For N = 26: Zk, (4.03- 10 26 ) d , ldZ«88.38-d [bit], log 266.1 • d [deciban], 

12.3.2 MULTIPLEX Encryption with d Alphabets 

Z= ((TV — 1) !) d 

Id Z = d ■ ((N - i) (Id (N - 1) - 1.44) + 2.05) 

For N = 26: Z«( 1.55-10 25 ) d , ldZ«83.68 -d [bit],logZ«251.1 • d [deciban], 

12.3.3 ALBERTI Encryption with d Alphabets 

Z = N\ N d_1 

Id Z = d ■ Id N + {N — |)(ld {N - 1) — 1.44) + 2.05 

For N=26: Z « 1.55 • 10 25 • 26 d , Id Z « 4.70 • d + 83.68 [bit], 

log Z « 14.15 • d + 266.1 • d [deciban]. 

12.3.4 VIGENERE or BEAUFORT Encryption with d, Alphabets 

Z = N d 
Id Z = d ■ Id N 

For N=26: Z = 26 d , Id Z « 4.70 • d [bit], log Z w 14.15 • d [deciban]. 

12.3.5 Summary of Polyalphabetic Encryption 

The combinatorial complexities of polyalphabetic substitutions are tabulated 
for the monographic case n = 1 in Table 5 and are shown graphically in 
Figure 95. 




12.3 Poly alphabetic Encryptions 2^3 


Id z 

d= 1 

d= 10 

d = 100 

d = 1000 

d = 10000 

88.38 

883.82 

8 838.20 

88 381.95 

883 819.53 

83.68 

836.82 

8368.15 

83681.51 

836 815.36 

88.38 

130.69 

553.73 

4 784.12 

47 088.08 

4.70 

47.00 

470.04 

4 700.44 

47 004.40 


for N = 26 depending on the number d of alphabets used 
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Fig. 95. Combinatorial complexity of polyalphabetic encryption 
with a number d of alphabets used, for N = 26 
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Note that the VIGENERE or BEAUFORT encryption and (monoalphabetic) 
simple substitution have the same complexity for d « N + \ — 

(in the case N = 26 , for d= 19 ; in the case N = 26 2 , for d = 573). 
MULTIPLEX encryption with d alphabets and (monoalphabetic) polygra¬ 
phic substitution with width n have approximately the same complexity for 
d ss n ■ N n ~ 1 (precisely, in the bigram case n = 2 and N = 26, for d = 55). 

The complexity of the VIGENERE or BEAUFORT encryption with period 
d = h and poly graphic CAESAR addition with width n = h coincide. For 
N = 10, an adding machine with h positions can be used, the mechanical 
carry device of which has been dismantled in the first case, not in the second 
case (Sect. 5.7.1 and Sect. 8.3.3). 
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12.4 General Remarks on Combinatorial Complexity 

In studying combinatorial complexity theoretically, the whole class of meth¬ 
ods is envisaged. Practically, the unauthorized clecryptor will often be able 
to find restrictions caused by the encryptor’s habits or stupidity. The cir¬ 
cumstances matter, too. 

12.4.1 For example, the cylinder of Jefferson and Bazeries has without 
knowledge of the disks the complexity of a MULTIPLEX encryption; with 
knowledge of the disks 3 however only of a transposition. For d = 25 (M-94) 
this means a reduction from Z= (26 !) 25 « 1.38-10 665 to.Z = 25! ss 1.55-10 25 , 
or from IdZ ss 2209 [bit] to ldZ « 83.68 [bit]. A similar situation exists 
with an Alberti disk: If it falls into the hands of the enemy, the ALBERTI 
encryption collapses to a VIGENERE encryption; Z correspondingly drops 
from (Nl) ■ N^ 1 to N d , or for N = 26, Id Z from 4.70 • d + 83.68 to 4.70 • d. 

12.4.2 Note, too, that the complexity of double transposition is Z = (nl) 2 
and thus is somewhat smaller than that of transposition with doubled width, 

Z = (2n )! = (n !) 2 • ( 2n ) , where asymptotically ( 2 ”) x4 n /\J n ■ (n+\ + . 

But this means only that exhaustion, given a fixed time limit, carries further 
for double transposition, which does not contradict the empirical fact that 
in a region of complexity where exhaustion is not tractable, cryptanalysis of 
double transposition is much more difficult than cryptanalysis of columnar 
transposition with doubled width. 

12.4.3 Finally, it is remarkable that for a VIGENERE encryption, Z and 
Id Z depend only on N d and thus (for N = 2 k ) are invariant under tran¬ 
sition to binary encoding: (2 k ) d = 2^'^ . In contrast to this, the com¬ 
plexity ((2 fc )!) d of PERMUTE encryption is reduced drastically, by a divisor 
(2 fe —l)!) d , under transition to binary encoding: 2^ k ' d ^ = ((2 k )\) d /((2 k — l)!) d . 

12.5 Cryptanalysis by Exhaustion 

It should be clear that combinatorial complexity is a measure of security 
only in the sense that it is a measure of the effort needed for a particular 
kind of unauthorized decryption, albeit a very simple and very general one, 
which we shall call exhaustion attack. After guessing a class of encryption 
methods, we construct all plaintexts that lead under some encryption process 
of one of these methods to a given cryptotext (all ‘variants’), and then read 
the ‘right’ message, or ‘gather’ it in the true meaning of the word. This 
attack can lead to more than one gathered message, which shows that the 
decryption is not unique—more precisely, that encryption is not injective for 
the encryption method one has guessed at. This can mean that one has to 

3 ‘A crypto device can fall into the hands of the enemy’: Maxim No. 3 (Sect.11.2.3) . 
Bazeries invented his device in 1891. eight years after Kerckhoffs had published his 
advice. 
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Table 6. 26 variants of a CAESAR encryption : HVZDU VFKRQ... 


look for a narrower class of encryption methods. We shall come back to this 
phenomenon under the catchword ‘unicity distance’. If no message can be 
gathered, the guess as to the class of encryption methods was erroneous—or 
a mistake was made in the encryption process. 

Proceeding by exhaustion ‘running down the alphabet’ is only tractable, of 
course, if the number of variants to be scrutinized is not gigantic. However, 
it is not necessary to gather for each scrutiny the full alleged plaintext; an 
escape should be possible as soon as a tiny part of the tentative deciphering 
is found to be absurd. 

We illustrate exhaustion with two small examples, where the cardinality of 
the alleged plaintexts which are to be scrutinized is about two dozen variants: 

a) CAESAR addition with Z 26 : 26 variants (Table 6), 

b) transposition with width 4: 24 variants (Table 7). 

The method of exhaustion is also indicated if the number of ‘probable word’ 
keys that are given or guessed is not too large. In the Renaissance the reper- 
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toire of familiar quotations was not too big—proverbs like VIRTUTI OMNIA 
PARENT, SIC ERGO ELEMENTIS, IN PRINCIPIO ERAT VERBUM, to 
mention a few that are present in the cryptologic literature. Indeed even to¬ 
day one finds from amateurs up to statesmen a predilection for programmatic 
keywords: TORCH, BARBAROSSA, DESERT STORM. 
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E SWARS CHONDUNKE LAL S I CH I NBONNANKAM I CH Z 
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Table 7. 24 variants of a transposition of width 4: SAEWS HRCNU... 


12.6 Unicity Distance 

Pursuing stepwise, letter by letter, the buildup of the feasible plaintext frag¬ 
ments leads to the observation that after a certain rather clearly defined 
length the decision for just one plaintext can be made confidently. The 
number of characters up to this length is called the empirical unicity dis¬ 
tance U of the class of methods in question. Remarkably, in the two ex¬ 
amples of Table 6 and Table 7 with almost equal complexity (Z « 25 and 
Id Z k. 4.64) the unicity distance is roughly equal, i.e., about four characters. 
There are, for example, only very few 4-letter words allowing an ambiguous 
CAESAR decryption, in English (Z 2 q) : mpqy: ADEN, KNOW; aliip: DOLLS, 
WHEEL; afccq: JOLLY, CHEER ; in German (Z 26 ) : zydd: BAFF, POTT; qfzg: 
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LAUB, TICK; qunq: EIBE, OSLO; himy: ABER, NORD, KLOA(KE), (ST)OPSE(L) 
(Z 25 !) ■ Only words with different letters are here essential. 

The unicity distance can be estimated by experienced cryptanalysts for en¬ 
cryptions with much larger complexity Z , like monoalphabetic simple sub¬ 
stitution (Z = 26!, Id Z = 88.38): for clearly shorter cryptotexts, there 
is ambiguity, for clearly longer cryptotexts, there is a unique solution. In 
the case of monoalphabetic simple substitution, the empirical unicity dis¬ 
tance has been reported to be between 25 and 30: “... the unicity point, at 
about 27 letters. ... With 30 letters there is always a unique solution to a 
cryptogram of this type and with 20 it is usually easy to find a number of 
solutions” (Shannon 1945); “Practically, every example of 25 or more char¬ 
acters representing monoalphabetic encipherment of a ‘sensible message’ in 
English can be readily solved” (Friedman 1973). Experimental checks with 
encryption methods of very large complexity Z support the empirical law: 

The unicity distance depends (for one and the same natural language) 

only on the combinatorial complexity Z of the class of methods. 

Moreover, it is (for not too small Z ) proportional to Id Z . 

This quantitative result was still unpublished around 1935. Only qualita¬ 
tive insights, like “The key should be comparable in length with the mes¬ 
sage itself” (Parker Hitt 1914, Sect. 8.8.2) have been known since Kasiski 
(Sect. 17.4), although presumably Friedman had an inkling. It means that 
the whole influence of the redundant language underlying the text can only 
be expressed in the proportionality constant. This was a starting point for 
the foundation of Claude E. Shannon’s information theory, which he wrote 
as a classified report in 1945. It was released to the public in 1949. 
Assuming Friedman’s value U = 25 for monoalphabetic simple substitution, 
Id Z k, 88.382 results in an empirical calibration for the proportionality: 

(*) U - id35 ldZ - rki 10l °S z - 

Table 8 has been computed according to Sect. 12.2 and (*) for different width 
n of monoalphabetic polygraphic substitution ( Z 26 , English language). 



n = 1 

n = 4 

n = 16 

CO 

II 

s 

n = 256 

Substitution in general 

25 

2 244 000 

10 24 

10 93 

10 365 

Homogeneous linear substitution 

(1.02) 

22 

340 

5 500 

88 000 

CAESAR addition 

(1.34) 

6 

22 

86 

340 

Transposition 


(1.30) 

13 

85 

480 


Table 8. Empirical unicity distance U, extrapolated according to (*), rounded up ( N=26 ) 
The values in parentheses turn out to be too small to be meaningful. 4 


The rule has the following background in information theory: 

The value 4.7 = Id 26 [bit/char] is split into 3.5 bit per character (74.5%) redundancy 
and 1.2 bit per character (24.5%) information (for Z 26 and the English language). 

For the theoretical foundation, see the appendix Axiomatic Information Theory. 


4 
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In particular, there results 

for digraphic substitution in general U fa 1 530 , 

for trigraphic substitution in general U fa 63 000 , 

for tetragraphic substitution in general U fa 2 250 000 . 

For periodic polyalphabetic encryption, the empirical unicity distance of a 

basic monoalphabetic encryption is to be multiplied with the length d of the 
period. Thus, for VIGENERE encryption, based on CAESAR addition steps 


with 

d = 

10 2 

Ufa 

134 

with 

d = 

10 4 

Ufa 

13 400 

with 

d = 

10 6 

Ufa 

1340 000 


If for an encryption method an empirical unicity distance exists, it may be 
expected that by suitable attacks other than exhaustion the breaking of an 
encryption becomes easier and less uncertain with increasing length of the 
cryptotext, whereas after some length near the unicity distance the solution 
becomes unproblematic, provided sufficient effort can be made. For holocryp- 
tic (‘unbreakable’) encryptions (Sect. 8.8.4), no unicity distance exists. 

12.7 Practical Execution of Exhaustion 

The practical execution of exhaustion proceeds by stepwise increasing the 
length of the fragments of the texts, cutting out each time the ‘impossi¬ 
ble’ variants and leaving the ‘possibly right’ ones. The tables of bigrams 
and trigrams printed in the literature show that in English, French, or Ger¬ 
man among 676 bigrams about half are ‘possible’, among the 17 576 trigrams 
only about a thousand. The execution can easily be carried out interactively 
with computer help if the number of variants to begin with is not much larger 
than ten thousand. On the monitor screen fragments of five to eight charac¬ 
ters are easily picked out at a glance, and at least 100 of those selections can 
be made in one minute, which means 6 000 initial variants can be scanned 
in an hour. Later the number of variants remaining is reduced drastically, 
so in less than two hours the ‘right’ solution should be found or its nonexis¬ 
tence shown. For the examples in Tables 6 and 7 this can be seen in Figures 
96 and 97. Even a reader who is only vaguely familiar with the language 
will find it not difficult to weed out the senseless instantiations. In order to 
eliminate marginal influence, we have started with the 6th column. 

Note that according to Sects. 12.3.3 and 12.2.4, 
for VIGENERE (a polyalphabetic CAESAR addition) 

Z = 17 576 for period 3 , Z = 456 976 for period 4; 
for transposition (a special polygraphic encryption) 

Z = 40 320 for width 8 , Z = 362 880 for width 9 . 

This shows the (restricted) range of the exhaustion attack. For general 
monoalphabetic simple substitution and PLAYFAIR substitution, with Z of 
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Fig. 96. Exhaustion for 26 variants of a CAESAR encryption 
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Fig. 97. Exhaustion for 24 variants of a transposition of width 4 
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the order of magnitude 10 25 , it is useless, at least in its pure form with human 
interaction. Computers can help to weed out the impossible variants much 
faster, but this may still not be sufficient. However, if high combinatorial 
complexity can be drastically lowered by other, suitable means, exhaustion 
may come within reach. In other words: 

The exhaustion attack, although by itself alone rather insignificant, 
is in combination with other, likewise automatic attacks the funda¬ 
mental method of intelligent cryptanalysis. 

Exhaustion is also used by the authorized clecryptor in case of polyphone 
encryptions. The best known example is polyalphabetic encryption with un¬ 
related monocyclic substitution alphabets, used with the cylinder of Jefferson 
and Bazeries, where the plaintext is to be found among two dozen variants. 


12.8 Mechanizing the Exhaustion 


12.8.1 Exhausting substitution. For the exhaustion of a simple CAE¬ 
SAR addition there exists a mechanization by the strip method. Ready-made 
strips containing the duplicated standard alphabet are used to demonstrate 
the cryptotext and all plaintext variants as well (Fig. 98). Cylinders con¬ 
taining the standard alphabet on their rim can be used as well. Here, the 
mechanical decryption aid is nothing but an encryption device, applied back¬ 
wards. This can be applied to other mechanical devices, too. For example, 
an ENIGMA imitation can be used to find the one among 26 3 = 17 576 rotor 
positions which gives a cryptotext fragment for a probable word -provided 
the rotors have fallen into the cryptanalyst’s hands. 


12.8.2 Exhausting transposition. For the exhaustion of a transposition 


of known width n , the cryptotext is written horizontally as an array of n 


columns, then the sheet is cut into n vertical strips, which can be permuted 


(Fig. 99). 


Fig. 99. 

Scissors-and-paste method 
for the solution 
of a transposition 
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12.8.3 Brute force contra Invariance. Cryptanalysis by exhaustion is 
a brute force method and as such is subject to limits of power. In the next 
chapters, methods of cryptanalysis are discussed, which are more cleverly 
based on “the ‘invariant’ characteristics of the cryptographic system em¬ 
ployed” (Major Solomon Kullback, in: Statistical Methods in Cryptanalysis, 
1935). Kullback continues: „A cryptographic system which has no invariant 
characteristic would be secure against unauthorized decipherment 11 . 
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No matter how resistant the cryptogram, all that is really needed 
is an entry, the identification of one word, or of three or four letters. 

Helen Fouche Gaines 1939 

Language contains an internal frame of regularities that are hard to extirpate. 
Particularly resistant are repeated patterns. 

13.1 Invariance of Repetition Patterns 

Invariance Theorem 1: For all monoalphabetic, functional simple 
substitutions, especially for all monoalphabetic linear simple substitu¬ 
tions (including CAESAR additions and reversions), 
repetition patterns of the individual characters in the text are invariant. 

The plaintext win t ersemes t er 

encrypted by a CAESAR addition ZLQWHUVHPHVWHU, 
or with a reversed alphabet DRMGV I HVNVHGV I , 

or with a permuted alphabet VAH ORMNRGRNORM, 

has an invariant pattern of character repetition. According to Shannon, pat¬ 
terns are just the ‘residue classes’ of simple substitutions. Text particles with 
the same repetition pattern are called ‘idiomorphs’. 

Monoalphabetic and functional polygraphic substitutions V^ ->- W( m ' > 

leave the patterns of polygram repetitions (observing the hiatuses) invariant. 
By contrast, transpositions do not preserve repetition patterns. Homophonic 
and particularly polyalphabetic substitutions destroy repetition patterns. 

Patterns are usually denoted by finite sequences of numbers in normal form, 
i.e., each number has at its first appearance (from left to right) only smaller 
numbers to its left. 1233412526 is in normal form. 

In the cryptotext VAHORMNRGRNORM from above, NRGR.N has the 
pattern 12321 , NRGRNOR has the pattern 1232142, ORMNRGRNORM 
has the pattern 12342524123. The pattern 12321 of NRGRN is particularly 
conspicuous. Moreover, the fragment ORM occurs twice. Thus, the pattern 
123 456 75857 456 of VAHORMNRGRNORM describes some text with 
fragments of 6 and 8 letters that rhyme. 

In fact, we know that win terse m ester is a solution, but there is hardly 
another idiomorph solution in German, and most likely none in English. 
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abba cy c abbag e c abba la s abba th sc abba rd b acca laureate m acca bee 
st acca to affa ble affa ir baggage braggart haggard laggard alla h allay b alla d 
b alla st f alla cy g alla nt inst alla tion m alla rd p alla dium par alla x w alla by 
diagr amma tic fl amma ble g amma gr amma r m amma progr amma tic anna list 
anna ls band anna c anna bis hos anna m anna sav anna h appal apparatus 
apparel apparent kappa arra ck arra ign arra nge arra nt arras arra y b arra ck 
b arra cuda b arrag e c arrag heen emb arra ss n arra te t arra gon w arra nt 
amb assa dor assa il assas sin assa ult assay C assa ndra m assa cre m assa ge 
p assag e v assa l w assa il atta ch atta ck atta in r atta n atta r b atta lion co atta il 
r atta n reg atta w atta ge pi azza beeb read boob boob y deed deed less in deed 
dood le ebbe d ecce ntric b edde d reddear r edde n shr edde r w edde d effe ct 
effe minate effe ndi effe rent effe rvesce effe te begged bootlegger egged legged 
pegged tr ekke d aquar elle bagat elle b elle chanc elle ry chanter elle driv elle r 
dw elle r exc elle nt f elle r fontan elle gaz elle grov elle r h elle bor h elle nic 
imp elle nt int elle ct jew elle r lib elle r mademois elle nac elle p elle t prop elle r 
rep elle nt s elle r t elle r trav elle r emme t barr enne ss comedi enne f enne c f enne l 
j enne t k enne l r enne t t enne r pepper stepper zeppelin det erre nt f erre t 
int erre gnum int erre lation ov erre act part erre t erre strial adr esse e d esse rt 
dr esse r esse nce esse ntial fin esse larg esse l esse n m esse nger nobl esse 
quint esse nce tesselate v esse l beg ette r b ette r bur ette corv ette cur ette f ette r 
gaz ette g ette r l ette r marion ette pirou ette ros ette roul ette s ette r silhou ette 
geegee googol heeh aw capriccio past icci o forb iddi ng y iddi sh difficile 
difficult griffin tiffin biggish bacilli billiard billion brilliant chilli cyrillic 
fillip illicit illinois illiquid illiberal illiterate illimitable l illip ut milliard 
millibar m illig ram milliliter millimeter milliner millionaire millivolt 
penicillin postillion shilling silliness tranquillize trillion trillium vanillin 
g immi ck immi grant immi nent immi scible immi tigable f inni sh inni ngs 
p innip ed z inni a pippin irrig ate irri tate adm issi on comm issi on d issi dent 
d issi milar d issip ate em issi on f issi le f issi on fort issi mo m issi le m issi on 
m issi ve om issi on perm issi on perm issi ve acqu itti ng f itti ng k itti wake c ivvi es 
noon br occo li sir occo ap ollo c ollo cate c ollo id c ollo quial c ollo quium f ollo w 
h ollo w r ollo ut c ommo n acc ommo date c ommo de c ommo dore c ommo tion 
c onno te opponent opportune oppose opposite b orro w c orro borate c orro de 
h orro r m orro w s orro w bl osso m cr osso ver bl otto b otto m c otto n gr otto 
l otto m otto otto man ris otto gl owwo rm p owwo w peep poop ca reer sees aw 
teet er teet he teet otal teet otum toot toot hache toot le h ubbu b s uccu lent 
s uccu mb s uccu ss p ullu p nummulite unnu mbered chaussure g uttu ral 

Fig. 100. Instantiations of the pattern 1221 in English 
(after Hugh Casement) 

Short patterns allow many instantiations by meaningful words or fragments 
of those. The pattern 1221 allows in English the idiomorphs compiled 
in Fig. 100. The list (excluding proper names) is intended to contain all the 
words or fragments (without grammatical variations) listed in Cassell’s 
English Dictionary. 
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Note that this list contains only a few words from the military genre like 
assa(ult), atta(ck), (b)atta(lion), (b)arra(ck), (z)eppe(lin), (sh)ippi(ng), 
(m)issi(le), (c)ommo(dore); furthermore not very many words from the 
diplomatic genre like affa(ir), (amb)assa(dor), assa(ssin), (chanc)elle(ry), 
(sh)illi(ng), immi(grant), (comm)issi(on). The search space for instan¬ 
tiations of a pattern is considerably narrowed down by knowledge of the 
circumstances. 

Apart from 1221, other interesting patterns of four figures are 1211, 1212, 
1231, 1232, 1122, 1112, 1111 . While for the first four patterns instantia¬ 
tions exist like lull(aby), (r)emem(ber), (b)eave(r), digi(t), it is hard to find 
natural ones for the remaining patterns. Note that a pattern like 123245678 
means that the eight characters involved are different, otherwise the pattern 
should better be written * 232 ***** and would not express more than the 
pattern 121 does. A rather large pattern with more than one repeated figure 
normally has very few or zero instantiations, 12134253 allows the words 
pipelike, pipeline, piperine; 1233412526 solely curriculum. 

The conclusion is clear: Words and phrases that form a conspicuous pattern 
should be eliminated by the encryption clerk, usually by paraphrasing, as 
was regularly done for the British Admiralty’s traffic. A notorious example is 
1234135426 , which allows in German nothing but the ominous instantiation 
heilhitler. Who would have dared in the Reich of Hitler to eliminate this 
stereotyped ending? Kerckhoffs even pointed out that repetitions like the 
French pouvez-vous vous defendre should be avoided. But in clear contrast to 
this, it was common practice in military signal units to put emphasis on a 
group by repeating it, like OKMMMANAN (Sect. 9.2.5) in German signals. The 
Allies did the same: SC48SC48 in a signal to the Allied Convoy SC 48 (Bees- 
ly) or CHICKEN-WIRETCHICKEN-WIRE and HUDDLE-TIMETHUDDLE-TIME in a 
message from Bletchley Park to operational units, transmitting the decryp¬ 
tion of a German signal concerning American passwords and replies (Lewin). 

The number of patterns with n elements equals the number of partitions of 
n into a sum of natural numbers, the Bell number B(n) , which grows rather 
fast with n, as the following table shows: 

n 0 1 2 3 4 5 6 7 8 9 10 11 12 

B(n) 1 1 2 5 15 52 203 877 4140 21147 115 975 678 570 4 213 597 

13.2 Exclusion of Encryption Methods 

Theorem 1 can be used negatively to exclude monoalphabetic, functional sim¬ 
ple substitutions—namely if the cryptotext contains no more patterns than 
a random text. But caution is advised. For example, the lack of doubled 
characters does not mean much. Since the work of G. B. and M. Argenti, pro¬ 
fessional cryptographers have known the rule of impeding pattern finding by 
suppressing doubling of characters even in the plaintext, e.g., writing sigilo 
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instead of sigillo (Sect. 11.1.5). Also the classical suppression of the word 
spacing is meant to diminish the formation of patterns (Sect. 13.6.1). Sup¬ 
pression is a polyphonic step; in rare cases, suppression of the word spacing 
leads to a violation of injectivity: the messages that were translated — the 
messages that we retranslated , or we came to get her - we came together. 

13.3 Pattern Finding 

Theorem 1 can be used positively, if there are reasons to assume that a 
monoalphabetic, functional simple substitution is present. Examples of this 
sort are frequently found in textbooks for amateurs. 

13.3.1 An example. In the following example by Helen Fouche Gaines 
(spaces, denoted by u , are not suppressed) 

F DRJ NUuHVXXUuRDuMD u S KVS O u PJ R K u ZD 
YFZJ X u G S RRVTuQYRu WDA R WD FV U RKV U DR 
KVT u DF U S ZZDYFR u DN u NVOVTS X U S A WV Z R 
the guess is at simple substitution. Helen Fouche Gaines starts by noticing 
words with the pattern 1231 , i.e., the two-letter fragments U RD U , uMD u , 
U DF U , and U DN U ; the occurrence of D in each one suggests trying the instan¬ 
tiations /of/, /on/, /or/, /do/, /go/, /no/, /to/; i.e., the entry D = o. 
And there are two occurrences of the pattern 12341 , i.e., the three-letter 
fragments U RKV U and U QYR U have R in common, which also occurs in 
U RD U . Among the 3-letter plaintext words that start with /d/, / g/, /n/, 
or /t/, /the/ is reasonable. Assuming RKV = the , U DRKVT U becomes 
u otheT u and T = r would be almost certain. Thus, five letters are tentatively 
known and the partial decryption reads 

Fot J NU u HeXXU u t o u Mo u S he S O u PJ t h u Z o 
YFZJXyGSt t er u QYt u Wo At Wo F e u t he u ot 
her uOFySZZoYFt u oN u NeOer SX u SAWeZt 
Confirmation comes from GSRRVT turning into GStter . For the other three- 
letter word QYt/not/,/got/, / out/, /yet/ are disqualified, since /e/ and 
/o/ are already determined, /but/ would do it. Furthermore there are only 
the possibilities DF = on and DN = of (or swapped) left, since /r/ is 
already determined. In the first (happy) case there is now the following 
fragment 

not Jf U u HeXXU u t o u Mo u S h e S O u P J t h u Zo 

unZJ X u G S t t er U but u Wo A t Wo ne u t he u ot 

her u on u SZZount u of u f eOer SX U SA We Z t 
Now, SZZount is read as /account/ and this leads also to a solution for 
ZounZJX , namely councJX as /council/ . The following fragment is 
obtained: 

not i f U u He 1 1 U u t o u Mo u a h e a O u P i t h u co 

unci 1 u Gat t e r U but u Wo A t Wo ne u t he u ot 

her u on u account u of u f eOer al U SA We c t 
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This can be read in plaintext at first sight, maybe apart from Helly, which 
could be a proper name. 

The phases of decryption shown here could be called ‘pace’ (until after the 
entry three to five characters are tentatively found), ‘trot’ (until about eight 
to ten characters are found and there is no doubt any more) and ‘gallop’ (the 
remaining work). This is reflected in the build-up of the decryption table: 

A..D.FGH.JK.MNOPQRSTUVWXYZ 
o h . . t r e 

n f b . u 

1 .a 1 c 

s m g d w y P 

Only H is still unclear, as B , C , E , I , L do not occur in the cryptotext. 
At this last phase one should try to reconstruct the full decryption table. The 
reader may have noticed that N and F were standing for each other; oF , oN 
becoming /on/ , /of/ . The same is seemingly true for A and S , D and O , 
P and W , R and T , U and Y . If the encryption were self-reciprocal, 
then K = h would imply H = k , and Helly would be plaintext /kelly/ . 
The whole encryption table reconstructed this way would be 
ABCDEFGH I JKLMNOPQRSTUVWXY Z 
sqzovnmkjihxgfdwbtaryepluc 


Since the underlined letters of the lower row run backwards, there is presum¬ 
ably a construction of the substitution alphabet from a mnemonic password. 
In fact, reordering produces the self-reciprocal substitution 1 


culperabdfghi 

zyxwvtsqonmkj 


The final result is 


not i f y u k e 1 1 y u t o u go u ahead u wi t h u co 
unci 1 u mat t e r U but u pos t pone u t he u o t 
her u on u account u of u f ecler al u a s pect 

A district attorney could base an indictment on this absolutely plausible de¬ 
cryption revealing the system completely. A “systematic and exact recon¬ 
struction of the encryption method and of the passwords and keys used” (Hans 
Rohrbach 1946) is required if cryptanalysts are witnesses for the prosecution, 
like Bazeries in 1898 in the lawsuit against the Duke of Orleans, or Elizebeth 
Friedman, the wife of W. F. Friedman, in a trial against the Consolidated 
Exporters Company, a smuggling organization at the time of prohibition. 


13.3.2 Aristocrats. It should be clear that the decryption of the example 
above was this easy because word spacings have not been suppressed, con¬ 
trary to professional tradition. Not to suppress spaces is among the rules of 
the game ‘Cryptos’ found in American newspapers (Fig. 101), at least for the 


1 Samuel Woodhull and Robert Townsend in 1779 provided General Washington with valu- 
able information from New York, which was occupied by English troops; they used as 
cover names CULPER SR. and CULPER JR. (Sect. 4.4.1). Was this shortened from 
CULPEPER , which is sometimes used in the cryptographic literature for the construc¬ 
tion of keys? Edmund Culpeper, 1660-1738, was a famous English instrument maker. 
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| Cryptoquip 


KIOSP XFIEVBOSF EFPMH 
YIMKKJ XFIEVBJ FK Y F I - 
K O M H 

Yesterday’s Cryptoquip— GLUM GOLFER TODAY 
STUDIES SNOWMEN ON FAIRWAY. © 1977 King Features Syndicate, Inc. 


Today’s Cryptoquip clue: S equals C 

The Cryptoquip is a simple substitution cypher in which each 
letter used stands for another. If you think that X equals O, it 
will equal O throughout the puzzle. Single letters, short words, 
and words using an apostrophe can give you clues to locating 
vowels. Solution is accomplished by trial and error. 


| Cryptoquip 


KRKKRLH PLRUI OZGK A Y M- 
MGORA U LYPQ,QRUAH ULZIU 

Yesterday’s Cryptoquip— TRICK HARMONICA MAKES 
PRETTY HARMONY AT PARTIES. 

© 1977 King Features Syndicate, Inc. 


Today’s Cryptoquip clue: I equals M 
The Cryptoquip is a simple substitution cypher in which each 
letter used stands for another. If you think that X equals O, it 
will equal O throughout the puzzle. Single letters, short words, 
and words using an apostrophe can give you clues to locating 
vowels. Solution is accomplished by trial and error. 


Fig. 101. Cryptoquips from Los Angeles Times, 1977 


sort that goes under the name ‘aristocrats’: Spaces and punctuation marks 
remain strictly untouched, only letters are allowed in the cryptotext character 
vocabulary, and no letter may represent itself. The length of the cryptotext 
in genuine aristocrats (without ‘clues’) is 75-100 characters, i.e., rather long 
in view of a unicity distance of ss 25 for a simple substitution with permuted 
alphabet; in return for this the cryptotext may contain the most extraordi¬ 
nary and queer American words (but no foreign words) and apart from being 
formally grammatically correct, does not need to make sense; to understand 
it may be as difficult as to understand the cryptogram itself. Words from 
biology like pterodactyl, ichtyomancy, and from mathematics like syzygy 
may occur, but also yclept, crwth, and cwm may be found. The text can be 
chosen such that the normal frequencies of letters and phrases are completely 
faked, which means that the methods based on frequency analysis, to be dis¬ 
cussed in following chapters, are useless (“the encipherer’s full attention has 
been given to manipulation of letter characteristics”, H. F. Gaines). 

Kahn gives the solution of a cryptogram of the sort ‘aristocrat’ that describes 
itself: Tough cryptos contain traps snaring unwary solvers: abnormal fre¬ 
quencies, consonantal combinations unthinkable, terminals freakish, quaint 
twisters like ‘myrrh’. 

13.3.3 Lipograms. There are texts (lipograms) written totally without 
/e/ ; most famous is the (artistically unpretentious) novel Gadsby (Fig. 102) 
by Ernest Vincent Wright (Wetzel Publishing Co., Los Angeles 1939, 287 
pp.). Wright wrote in the preface that he had fixed the /e/ key on his 
typewriter, because now and then an /e/ wanted to slip into the manuscript. 
Along this line, but with higher pretension, was also Georges Perec (1936- 
1982) with his 1969 novel La disparation (English translation A Void by 
Gilbert Adair, HarperCollins 1995, 285 pp.). Perec, who also played with 
acronyms, acrostics, anagrams, and palindromes and indulged in linguistic 
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XXIX 

Gadsby was walkino 
back from a visit down in Branton Hills’ manu¬ 
facturing district on a Saturday night. A busy 
day's traffic had had its noisy run; and with not 
many folks in sight, His Honor got along without 
having to stop to grasp a hand, or talk; for a May¬ 
or out of City Hall is a shining mark for any poli¬ 
tician. And so, coming to Broadway, a booming 
bass drum and sounds of singing, told of a small 
Salvation Army unit carrying on amidst Broad¬ 
way's night shopping crowds. Gadsby, walking 
toward that group, saw a young girl, back towards 
him, just finishing a long, soulful oration, saying:— 

“. . .and I can say this to you, for I know 
what I am talking about; for I was brought up 
in a pool of liquor IT 

As that army group was starting to march 
on, with this girl turning towards Gadsby, His 
Honor had to gasp, astonishingly:— 

"Why! Mary Antorll’’ 

"Oh! If it isn’t Mayor Gadsby 1 I don’t 
run across you much, now-a-days. How is Lady 
Gadsby holding up during this awful war?” 

[ 201 ] 

Fig. 102. Page from Gadsby by Ernest Vincent Wright 

activism—he used computer programs and presented in 1969 a palindrome 
of 5 000 letters— published a history of lipograms in 1973. Earlier, in 1820, 
a Dr. Franz Rittler in Vienna published the novel Die Zwillinge, written to¬ 
tally without /r/. Even earlier, in 1800, Gavrila Romanovich Dershavin, an 
important Russian poet (1743-1816), wrote the novel A Waggish Wish com¬ 
pletely without /r/ and with only very few /o/ . 

James Joyce, too, wrote cryptic prose. The last words in Finnegans Wake: 
End here. Us then. Finn, again! 

Take. Bussoftlee, mememormee! 

Till thousendsthee. The keys to. Given! 

Lps. A way a lone a last a loved a long the. 

if given to a decryptor, would cause him great trouble. Joyce’s earlier novel 
Ulysses already contained plenty of cryptological puzzles. 

Cryptologically, these curiosities have little importance, of course, any more 
than the cryptological decorations Vladimir Nabokov included in his works. 
Vaclav Havel took the right point of view when he made fun of the Marxist- 
Leninist party (secret) language, the Ptydepe and its bureaucratic successor, 
the Chorukor. 
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13.4 Finding of Polygraphic Patterns 

One of the reasons for the use of codes is the suppression of conspicuous 
patterns. But wrongly designed codes that do not pay regard to frequently 
used longer phrases, and particularly wrong use of codes, will ruin this. 

13.4.1 Luigi Sacco. He became in 1916, at age 32, chief of the Reparto crit- 
tografico of the Italian headquarter at the Isonzo and Piave front in northern 
Italy. He received on June 30, 1918 two radio signals with the same ending 

.... 4 92073 06583 47295 89255 07325 58347 29264 . 

This was a grave mistake of the Austrians; but even worse, the fragment 
073**5834729 was repeated in the short distance of 18 letters. This gave a 
clear indication for a 3-figure code ending with 

492 073 065 834 729 589 255 073 255 834 729 264 . 

Sacco had some experience with Austrian habits and reason to conjecture 
that carelessly a longer word had been encoded letter by letter. The code 
group pattern was 123456727458 and Sacco, an engineer, had the splendid 
idea to read it radiostation. The lazy Austrian code clerk had not 
seen a need to look up the code groups for radio and station. And 
if in exceptional cases—e.g., for proper names—letter by letter encoding was 
unavoidable, then such a disclosure of the code for single letters should not 
happen at the beginning or the end of the text. 

Anyhow, this gave Sacco an entry to decrypt other words encrypted letter by 
letter and thus to break the whole code. But the Austrians did cryptanaly- 
tically at least as well. In the Kriegschiffrengruppe under the command of 
Colonel Ronge was an Italian section in which Major (later Colonel) Andreas 
Figl did excellent work, like Major (later Lieutenant-Colonel) Hermann Poko- 
rny in the Russian section—aided by the adversary’s stupidity. 

13.4.2 Pattern book. But even without Sacco’s imagination there would 
have been an immediate entry using a prefabricated list of patterns and their 
instantiations. For the entry 123456727458 of length 12 with 4 repetitions, 
the instantiation radiostation is very likely unique, and if not, trial 
and error with only a few instantiations would give immediate results. 

13.5 The Pattern Method of the Probable Word 

So far, only formal considerations have been used, assuming no more than 
a guess at the natural language underlying the crypt. We now take other 
information into account. Much beloved for an entry into a monoalphabetic 
simple substitution is the method of the probable word (French mot pro¬ 
bable, German wahrscheinliches Wort). It is not a conspicuous pattern in 
the cryptotext that we seek (and look later for its instantiations); instead, 
a search for the pattern of the probable word is made in the cryptotext— 
whether, and if so, where it may occur. Each such cryptotext fragment 
together with the probable word forms a ‘crib’. 
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13.5.1 Cribs. This method was already described by Giovanni Battista Por¬ 
ta (1535-1615) in De furtivis, 1563. If according to the circumstances division 
is a probable word, a search for the pattern 12131 of (d)ivisi(on) is indicated. 
From Figure 109 it can be seen that in the military genre the danger of find¬ 
ing a wrong word with this pattern is rather small, although the word is 
short. Instead of a word, whole phrases can be used like ‘Oberkommando der 
Wehrmacht’ or ‘Combined Chiefs of Staff’. Particularly suited are stereo¬ 
typed expressions frequently used at the beginning and ending of plaintexts 
in both the commercial and the military world. Examples like 

reference to your letter 
Hochachtungsvoll Ihr 

An SS-Gruppenfiihrer Generalleutnant der Waffen-SS Berger, Berlin W. 35, 
SS-Hauptamt, mit der Bitte um absprachegemasse Weitergabe 

From Algeria to Washington, 21. 7. To the State Department in Wash¬ 
ington. Strictly confidential. Most urgent and personal for Deputy Under 
State Secretary. From Murphy 

show that there are usually enough cribs. Even Russian copulation, the 
arbitrary cutting of the text and recombining it in the wrong order, is of 
no avail, for it does not remove patterns at all. Moreover, insight into the 
situation of the adversary and empathy can initiate a chain reaction that 
Jack Good has described well as “success leading to more success.” More in 
Sect. 19.7. And if no cribs turn up, they can be provoked: In the sequel of 
certain war actions, words like attack or bombardment are to be expected. 

13.5.2 Murphy and Jager. Immortal credit for a success on the German 
side in the Second World War was gained by the American diplomat and 
later Deputy Secretary of State Robert Daniel Murphy (1894-1978), who 
insisted on underlining his importance in his telegrams by always using the 
expressions ‘From Murphy’or ‘For Murphy’. Nevertheless, Lieutenant Jager, 
also mentioned in Sect. 4.4, stole the show. Obedience is no substitute for 
discipline, which requires brains and is therefore rare. To report regularly 
‘Nothing to report’ is a self-contradictory action. 

13.5.3 Fiihrerbefehl. The following fictitious example by Uwe Kratzer 
(Fig. 103), based on an infamous Fiihrerbefehl in the year 1939, shows how 
far a single probable word can carry. According to the circumstances it could 
be guessed that the year ‘1939’ occurs in the plaintext and in view of the 
bombastic style Hitler’s generals had adopted, it could not even be excluded 
that despite all precautions ‘neunzehnhundertneununddreissig’ would oc¬ 
cur literally. This would suggest a search for the pattern 1231 of ‘neun’, 
although it is very short and many mishits (‘blind hits’) were to be expected. 

Indeed, this pattern occurs a few times (Fig. 104), in particular as HQGH 
four times, as QHXQ twice in the third line from below and once in the 
second line from below. For ‘neunzehnhundertneun’, the second occurrence 
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Fig. 103. Fictitious encryption of a Fiihrerbefehl in the year 1939 
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Fig. 104. Occurrences of the pattern 1231 


in the third line from below has just the right distance from the occurrence in 
the second line from below. This entry, provoked by the repetition of QHXQ, 
provides a first tentative decryption in Figure 105. Obviously, there are more 
dates at the end of the text. It does not need much imagination to read the 
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Fig. 

105. 

Fragmentary decryption with the help of 

‘neunzehnhundertneun’ 
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Fig. 106. Further fragmentary decryption with the help of ‘vieruhrfuenfundvierzig’ 


very end as ‘vieruhrfuenfundvierzig’. This gives the fragmentary decryption 
of Figure 106, which means there are already a dozen characters decrypted: 

. . . d e f g h i . . . . n . . . r . t u v . . . z 

. . . GHI JKL. . . . Q. . . U. WXY. . . C 
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Pieces of the text in Figure 106 can be read quite fluently. This results in 
/m/ for P, /s/ for V, /c/ for F, /a/ for D, /o/ for R and confirms that we 
are on the right path. Now 17 characters are reconstructed: 
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Figure 

107 shows 

this 

last intermediate 

result which 

can be 

read 

fluently. 
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Fig. 107. Last intermediate decryption of the Fiihrerbefehl 


The complete encryption table reads 

abcclef ghi j k 1 mnopqr s t uvwxyz 
DEFGHI J KLMNOPQRS TUVWXYZABC 
Here at the latest it turns out that the encryption is a genuine Caesar addi¬ 
tion. If we had assumed this and used an exhaustive search, we would have 
been sure after a few steps. But who could know it? 

Figure 108 presents the final result, the Weisung Nr. 1 fiir die Kriegsfiihrung. 
The example is fictitious, and an order of this significance would not be 
encrypted by a CAESAR addition—and it would not go by radio, but by 
courier. However, with enough imagination one could perhaps see Admiral 
Wilhelm Canaris (1887-1945), the head of the Abwehr, the counter-espionage 
organisation of the O.K.W. and conspirator against Hitler, passing on the text 
so that a simple agent could radio it to Sweden. 

13.5.4 Invariance against choice of substitution. The example would 
have been treated in exactly the same way if any other monoalphabetic sub¬ 
stitution were present. This shows that the pattern finding method is totally 
independent of the kind of (simple) substitution it is up against. 
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Fig. 108. Final decryption: Weisung Nr. 1 fur die Kriegsfiihrung 


13.6 Automatic Exhaustion of the Instantiations 
of a Pattern 

Helen Fouche Gaines points out that prefabricated lists of words with the 
same pattern can help to solve the most confounded monoalphabetic substi¬ 
tutions. 

13.6.1 Listings. It can be safely assumed that the professional cryptana- 
lytic bureaus know this and that they have made practical use of it, at least 
since computers with large magnetic tape storage became available in about 
1955. More recently, by private initiative, tables specifying English instantia¬ 
tions for patterns of up to 12 letters were published 1971, 1972 by Jack Levine, 
and for patterns of up to 15 letters 1977, 1982, 1983 by Richard V. Andree. 
The listing is appropriately done in the KWIC (‘Key Word in Context’) way, 
printing the left and right context in parenthesis. Figure 109 shows a some¬ 
what multilingual example for the pattern 12131 of (d)ivisi(on). Note 
that anana(s) and (r)ococo do not belong to the pattern 12131 , but to the 
pattern 12121 . 

Such collections of patterns can be produced mechanically on the basis of a 
dictionary of the language or languages in question, today even by optical 
scanning. In this way, however, the word spacing prevents contacts between 
words; patterns originating from the suppression of the space are not taken 
into account. Also grammatical endings may be neglected. 

It is therefore better to start from a large text base of the genre in question, 
comprising up to a billion characters—say a newspaper year on a CD. 
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(m)acada(m) 

(m) ahara(ni) 
alaba(ma) 
(m)alaga 
(c)alama(ry) 
(p)alata(l) 

(m)alaya 
(t)amara 

(р) anama 

(s)araba(nd) 

(f)arada(y) 

(k)araja(n) 

(с) arapa(ce) 
(c)arava(n) 

(c)atama(ran) 
(c)atara(ct) 
(c)atafa(lque) 


ebene 

(1)edere(inband) 
(h)egeme(ister) 
(v)eheme(nt) 

(b)elebe(n) 

(b)elege(n) 

(g) elege(n) 
eleme(nt) 

(t)eleme(try) 

(h) elene 
(s)elene 

(g) elese(n) 
eleve(n) 
eleve 

(h) exere(i) 


(fr)igidi(ty) 
(r)igidi(ty) 
(n)ihili(sm) 

(b) ikini 

(m)iliti(a) 

imiti(eren) 
(1)imiti(eren) 
(d)irigi(eren) 
(v)isiti(eren) 

(c) ivili(an) 

(d) ividi(eren) 
(d)ivisi(on) 


(l) oboto(my) 

(s) olomo(n) 

(d)oloro(sa) 
(g)onoko(ecus) 

(m) onolo(gue) 
(m)onopo(ly) 
(m)onoto(ny) 

(t) opolo(gy) 
(d)oxolo(gy) 

(c)umulu(s) 


(s)tatut 


Fig. 109. Two-language KWIC list of words with the pattern slkl 12131 of (d)ivisi(on) 


13.6.2 Search for patterns. Computer-aided, interactive work is useful 
when for a given probable word instantiations of the pattern of this word 
to be displayed on the screen—are looked for. Computer help is particularly 
necessary if no probable word is available and no pattern is given, but rare 
patterns or repeated patterns 2 in the cryptotext are to be extracted. If some 
exist (i.e., if the text is long enough), this almost certainly leads to an entry. It 
goes without saying that subsequent computer-aided fragmentary decryption 
can be done semi-automatically, with little interactive intervention. 

If it is done systematically, this intuition-free method of pure pattern finding 
can be fully automated; working without semantic assumptions, it is a first 
example of a cryptotext-only attack (‘pure cryptanalysis’). The problem is to 
keep the search space small and the number of permissible variants low, and 
thus to reduce the exhaustive element in the method. To this end, several 
refinements of pattern finding can be applied. One of them uses coupled 
pattern finding in the following sense. 

13.6.3 Coupling of patterns. If two or more patterns are investigated, 
it frequently happens that some instantiations are mutually exclusive. This 
reduces the search space. To give an example, in the cryptotext 

SENZEI S E J PANOA I AOPANCAHAOA J 

1232142 12131 

the patterns 1232142 and 12131 occur; the instantiation semeste(r) for 
1232142 , mentioned in Sect. 13.1, allows only a few of the instantiations for 
12131 , namely those that are compatible with e H e s e ; from the list of 
Figure 109 this is only (g) e 1 e s e (n) . But there is another instantiation for 


2 The search for repeated patterns will be taken up again in Sect. 17.4. 
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1232142 , namely g e r e g n e (t) ; with this instantiation are compatible only 
those instantiations for 12131 that are compatible with e H e g e ; which 
from the list of Figure 109 are (g) e 1 e g e (n) and (b) e 1 e g e (n) . P=n 
from the instantiation g e r e g n e (t) collides with J= n both from 
(g) e 1 e g e (n) and from (b) e 1 e g e (n) . This attempt aborts. 

This shows how two short patterns can be coupled. The background of this 
consideration is the finding of one unified pattern 

SENZEI SE J PANOA I AOPANCAHAOAJ 

123214256272128 

and its instantiations. 

Coming back to the decryption, with semester for O A I A O P A and 
g e 1 e s e n for CAHAOAJ we have now tentatively found seven letters 
and the following fragment: 

SErZEmSEnterse mestergelesen 
For S , E and Z, the choice of plaintext characters has 19-18-17 = 5814 
possibilities. The search space could be reduced further by investigating the 
dozen or so instantiations for S E n t e r, each time trying 17 cases of 
instantiations of Z . These 12 -17 ss 200 computer-aided tests take only a few 
seconds. One decryption obtained this way is 

wi rclimwint er semes t erge 1 esen 
The reader who has doubts about this decryption (after all, not everybody 
is so very familiar with a text in an obscure foreign language) or who thinks 
that a text much shorter than the unicity distance for monoalphabetic simple 
encryption may allow more than one decryption will become more confident 
when following Rohrbach’s advice and finding out that the encryption is a 
CAESAR addition with a key 22 ~ —4. That should do it. It is to be noted 
that again in the decryption method no use was made of the peculiarities of 
a CAESAR addition. 

13.6.4 Reduction of the search space. It should be expected that in a 
monoalphabetically encrypted cryptotext the number of patterns of length, 
say, up to 15 is proportional to the length of the text. The number of cou¬ 
plings between the patterns, however, grows at least quadratically with the 
length, such that the restrictions arising from couplings increase rapidly and 
reduce the search space correspondingly, which means there is a length of 
text for which the pure pattern finding method regularly succeeds. 

13.7 Pangrams 

A special case of patterns consists of those containing no repeated characters, 
especially long patterns of the form 123456789.. .Af . Necessarily, Af < N, 
where N is the cardinality of the plaintext vocabulary. Instantiations of these 
patterns are called non-pattern words or pangrams. 3 

3 Richard V. Andree, Nonpattern Words of 3 to 14 Letters, Raja Press, Norman, Okla¬ 
homa 1982. 
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Anclree lists about 6000 non-pattern words each of length 6 and length 7, 
4200 of length 8, 2400 of length 9, and 1050 of length 10. There are still 
several hundred non-pattern words of length 11 such as 
‘abolishment’ ‘atmospheric’ ‘comradeship’ ‘exculpation’ ‘filamentous’ 
‘hypogastric’ ‘nightwalker’ ‘questionary’ ‘slotmachine’ ‘spaceflight’ 
and some dozen of length 12 such as 

‘ambidextrous’ ‘bakingpowder’ ‘bodysnatcher’ ‘disreputably’ 

‘housewarming’ ‘hydrosulfite’ ‘springbeauty’ ‘talcumpowder’ . 

Even some non-pattern words of length 13 are listed: ‘bowstringhemp’ 
‘doubleparking’ ‘doublespacing’ ‘groupdynamics’ ‘publicservant’ 
and one non-pattern word of length 14: ‘ambidextrously’. 

Note that in these examples word spacing is suppressed. There are, of course, 
also longer non-pattern sentences. Non-pattern words or sentences of some 
rather large length A f should be avoided or suppressed in the plaintext, since 
they at once expose a decryption of JV letters to an exhaustive search in a 
rather small search space. 

Genuine pangrams are sentences containing every letter just once (Af = N ). 
In English, genuine pangrams in very free language are possible, for example, 
cwm, fjord-bank glyphs vext quiz (Dmitri Borgmann), 
squdgy fez, blank jimp, crwth vox (Claude E. Shannon), 

Zing! Vext cwm fly jabs Kurd qoph (author unknown). 

Good approximations are 

waltz, nymph, for quick jigs vex bud (28 characters), 
jackdaws love my big sphinx of quartz (31 characters), 
pack my box with five dozen liquor jugs (32 characters). 

In German or French, no genuine pangram is known. Approximations are 
sylvia wagt quick den jux bei pforzheim (33 characters), 
bayerische jagdwitze von maxi querkopf (34 characters), 
zwei boxkaempfer jagen eva quer durch sylt (36 characters). 

Qui, flamboyant, guida Zephire sur ses eaux (35 characters; Guyot, 1772). 
Internationally known for many years are the test texts for teletype lines 
kaufen sie jede woche vier gute bequeme pelze 
the quick brown fox jumps over the lazy dog 
voyez le brick geant que j’examine pres clu wharf. 

The French language is particularly rich in vowel contacts, like in oui'e, 
and therefore suitable for vowel-pangrams, containing every vowel just once. 
Good examples are ossuaire (charnel-house), oripeau (tinsel), ouaille (lamb¬ 
kin), and with only six letters oiseau. 
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14.1 Non-Coincidence Exhaustion 
of Probable Word Position 

Pattern finding, using the positive coincidence of two text patterns, is neces¬ 
sarily restricted to monoalphabetic encryptions. But for a wide class of 
polyalphabetic encryptions, namely for those with fixpoint-free encryption 
steps, whose alphabets have the property “no letter may represent itself,” 
there is never a ‘crash’ between plaintext and cryptotext. This allows us 
to exclude certain positions of a probable word and thus establishes the re¬ 
maining ones as possible positions. It is a probable word attack by exhausting 
positions. Exhaustion runs only over the length of the text and is feasible. 
The precondition that no letter may represent itself holds more often than 
one might think at first. It may happen that an encryptor avoids fixpoints 
with the very best intentions. Monoalphabetic simple substitutions do this re¬ 
gularly, and for ‘aristocrats’ (Sect. 13.3.2) it is even prescribed. Furthermore, 
polyalphabetic substitutions using a collection of such alphabets—in particu¬ 
lar MULTIPLEX (fully cyclic) encryption steps—inherit the property. 
Moreover, all polyalphabetic substitutions with properly self-reciprocal al¬ 
phabets have the ‘non-crashing’ property, i. e., are fixpoint-free. This includes 
among others methods with PORTA encryption steps (Sect. 7.4.5) (requiring 
N = \V\ even), but not those with BEAUFORT encryption steps (Sect. 7.4.3). 
The non-coincidence exhaustion attack usually allows several possible posi¬ 
tions of a tentative probable word, which need to be investigated exhaustively. 
If for a Shannon cryptosystem (Sect. 2.6.4) the alphabets are known and if 
the probable word really does occur, this gives an entry, leading to the recon¬ 
struction of a part of the key. In the case of a key with a known construction 
principle, that’s it; in the case of a periodic key, large parts of the plain¬ 
text are disclosed. In the monoalphabetic case, of course, non-coincidence 
exhaustion works, too. 

For the phrase “Erloschen ist Leuchttonne” (Sect. 11.1.3) there are in the 
following cryptotext under fixpoint-free encryptions, e.g., ENIGMA steps, 
only two positions possible (all others lead to a crash, marked by boldface): 
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YOAQUTHNCHWS YTI WHTOJ QMTCFKUS LZVSMFNGTDUQNYAVH 

erl oscheni stl eucht tonne 
erl oscheni stl eucht tonne 
erl oscheni stl eucht tonne 
erloschenistleuchttonne 
erl oscheni stl euchttonne 
erloschenistleuchttonne 
erloschenistleuchttonne 
erl oscheni stl euchttonne 
erloschenistleuchttonne 
—> erl oscheni stl euchttonne 
erl oscheni stl euchttonne 
erloschenistleuchttonne 
erl oscheni stl euchttonne 
erl oscheni stl euchttonne 
erl oscheni stl euchttonne 
erl oscheni stl euchttonne 
erloschenistleuchttonne 
erloschenistleuchttonne 
erl oscheni stl euchttonne 
erl oscheni stl euchttonne 
erl oscheni stl euchttonne 
erl oscheni stl euchttonne 
—>erloschenistleuchttonne 

Quite a number of mechanical cryptosystems are susceptible to this exhaus¬ 
tion attack. First of all, there are the strip and cylinder multiplex encryptions 
(Sect. 7.5.3), whose non-identical alphabets are monocyclic substitutions. 
Second, there are machines working ‘for facilitation’ self-reciprocally. Then 
every alphabet is self-reciprocal. If 1-cycles (fixpoints) are excluded for tech¬ 
nical reasons, then the precondition “no letter may represent itself” holds. 
While the crypto machines of Boris Hagelin, working with mechanical BEAU¬ 
FORT steps, did not exclude 1-cycles, the electrical ENIGMA disallowed 
them, thus suffering from a weakness which was a consequence of introduc¬ 
ing the reflecting rotor—meant to be a particular smartness. It would be hard 
to believe that Group IV (Erich Hiittenhain) of the Cipher Branch OKW, 
watching over the security of their own systems, did not know of this possi¬ 
bility for a break, but presumably they underestimated it. In any case, it was 
an essential piece of good luck for the work of the Polish Biuro Szyfrow and 
of the British clecryptors in Bletchley Park. But the strip cipher CSP-642, 
used equally carelessly in the US Navy, was also a polyalphabetic multiplex 
encryption with multiple mixed alphabets and it was also endangered; the 
Japanese made use of this after they had seized the strip devices on the 
Wake and Kiska islands. At OKW/Chi, Wolfgang Franz worked on US strip 
ciphers. 

Short probable words allow many hits, of course, and thus also many mishits. 
The total probability of hits in looking for a word of length n is 
P n = (1 — 1/N) n x e~ n / N ; n should be large enough to make P n somewhat 
smaller than the frequency of the probable word. Figure 110 shows some 
values of P n for the usual case TV = 26. 
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n 

Pn [%] 

n 

Pn [%] 

p-i 

1 

96.15 

12 

62.46 


2 

92.46 

16 

53.39 


3 

88.90 

25 

37.51 

2.67 

4 

85.48 

32 

28.51 

3.51 

5 

82.19 

50 

14.07 

7.11 

6 

79.03 

64 

8.126 

12.31 

8 

73.07 

100 

1.980 

50.50 

10 

67.56 

128 

0.660 

358.92 



200 

0.039 

2550.75 


Fig. 110. Total probability P n [%] of hits for non-coincidence exhaustion (N= 26) 


The following plaintext of length 60 (Konheim) is encrypted by ENIGMA: 
manyo rgani zatio nsrel yonco mpute rsa 

GRSUZ TLDSZ NKWNE RDPFB OVVQN OB KYI QNJ 

Non-coincidence exhaustion for the 8-character word /computer/ should show 
for the first 26 positions about 19 (26x0.7307) possible positions. In fact, 21 
of the positions cannot be excluded and thus there are actually 20 mishits: 


GRSUZTLDS 
c o mp u t e r 
-> computer 
—» c o mp u t e 


Z N K WN ERDPFBOVVQNOBKY I QNJ 


r 

c o mp u t e 
c o mp u t 
—> c o 

—> c 


r 

mp u t e 
o mp u t 


r 

c o mp u t e 
c o mp u t 


mp u t 
o 


r 

mp u t e 
o mp u t 
c o 


r 

mp u t e 
o mp u t 


mp u t 
o 


r 

mp u t e 
o mp u t 
c o 


r 

mp u t e 
o mp u t 

c o 


r 

mp u t e 
o mp u t 
c o 


r 

e r 
mp u t e r 

o mp u t e r 

c o mp u t e r 
c o mp u t e r 

—y c o mp u t e 


/computer/ is indeed a very short word, /oberkommandoderwehrmacht/ (24 
characters) would do much better (Sect. 19.7.1). A count gives for the first 
36 positions of this word 14 possible positions (all mishits), compared with 
the expected 36-0.3901 = 14.04. A probable word of length n=100 has not 
yet a good chance of avoiding some mishits in a text fragment of length 300; 
for n = 100 and a text of length 300, we have 300-P(100) = 300-0.01980 « 6, 
for n=200 in atext of length 2500, we have 2500-P(200) = 2500-0.00039 ss 1. 
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14.2 Binary Non-Coincidence Exhaustion 
of Probable Word Position 


More information about the encryptions of a polyalphabetic cryptosystem 
may improve the situation with respect to mishits. To give an example, 
assume polyalphabetic PORTA encryption steps mapping one half of the 
alphabet into the other half and vice versa (Sect. 7.4.5), say with V = Z 2 e 

2 

{abcd...lm} -<—>- {nopq...yz} . 

The binary pattern of a text is obtained if every character is replaced by 
0 or 1, depending on whether it is from the first or the second half of the 
alphabet. 

Now assume that the same text as above is somehow PORTA encrypted: 

manyo rgani zatio nsrel yonco mpute rsa 

PRGBF IOZGP LYCNE EDGWS AIKQD OBKJQ CMP 

/computer/ has the binary pattern 01011101 , thus in the cryptotext 
complete non-coincidences with this pattern are to be looked at: 


PRGBFI OZ GPLYCNEEDG WS A I KQDOBKJ QCMP 
110000110101010000110001010001001 

01011101 
0 1 0 1 1 1 0 1 
01011101 
01011101 
01011101 
0 1 0 1 1 1 0 1 
01011101 
0 10 1110 1 
01011101 
0 1 0 1 1 1 0 1 
01011101 
0 1 0 1 1 1 0 1 
01011101 
01011101 
01011101 
01011101 
01011101 
01011101 
01011101 
0 1 0 1 1 1 0 1 
0 10 1110 1 
0 1 0 1 1 1 0 1 
01011101 
-4 01011101 

01011101 

01011101 


In this example, even with a rather short probable word, the binary coinci¬ 
dence exhaustion has no mishits, while the non-coincidence exhaustion does 
not exclude 21 of the positions and thus has 20 mishits. Even the shorter word 
/comp/ with the binary pattern 0101 has only three mishits—compared with 
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the expected 26 • (^) 4 = 1.62 possible positions. For PORTA encryptions, 
probable words of a few characters are in general already sufficient to distin¬ 
guish between a genuine hit or a total miss. The same is true for encryptions 
a la Gronsfeld (see Sect. 7.4.1) using a truncated Vigenere table. 

The word /oberkommandoderwehrmacht/ contains the 11-character word 
/kommandoder/ with the pattern 
01000101001 

It cannot be present in the plain text of this example, since every position 
leads to a crash: 
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01000101001 

01000101001 
01000101001 
01000101001 
01000101001 
01000101001 
01000101001 
01000101001 
01000101001 
01000101001 
0 1 0 0 0 1 0 1 0 0 1 
01000101001 
01000101001 
01000101001 
01000101001 

14.3 The De Viaris Attack 

Even against the strip and cylinder multiplex encryptions, working with 
monocyclic unrelated alphabets allowing non-coincidence exhaustion accord¬ 
ing to Sect. 14.1, the unauthorized decryptor can do more. This discovery 
was made unhappily by Etienne Bazeries, the great practitioner of cryptanal¬ 
ysis, when his allegedly unbreakable device was ridiculed by his opponent De 
Viaris. Incidentally, the attack of De Viaris in 1893, improved by Friedman 
in 1918, does not presuppose that the alphabets are monocyclic. 

14.3.1 De Viaris. The general method requires that the device is in the 
hands of the unauthorized decryptor. Since nothing prevents the number 
of disks or strips from being two dozen or more, there is always a number 
of permutations big enough to exclude trivial exhaustion. The maximal pe¬ 
riod is determined by the system and the known alphabets could be tested 
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against columns of monographically encrypted characters (Sect. 18.2.5); but 
the depth of the material as a rule is not sufficient to succeed with a frequency 
analysis. 

For the special case of the strip and cylinder devices there is the seeming 
complication by homophony. It will turn out that homophony does not hinder 
the unauthorized decryptor much more than the authorized one. For the 
moment, let us assume that the (homophonic) cryptotext fragment is read 
from the fc-th row after the plaintext row (in the fc-th generatrix, Sect. 7.5.3). 
Beginning with small values of k , there would be in the worst case two dozen 
trial and error cases. We also assume, for simplicity, that a probable text 
will be short enough not to be cut by the period hiatus of the encryption. 

Now, for fixed k and a given probable plaintext word, we determine the set 
of all characters occurring on the disks or strips in the fc-th generatrix. With 
this basic information we investigate all positions of the probable word to 
find out for which ones the cryptotext could have been obtained at all. For 
a short probable word we expect there to be several possibilities to follow 
up. If the probable word is long enough, it may happen that no possibility 
is found, in which case transition to another generatrix is indicated. If this 
is unsuccesful for every generatrix, then the probable word is not present 
in the plaintext despite our assumption—which may also mean that it was 
interrupted. 

For Bazeries’ cylinder with 20 disks and an example of a cryptotext that goes 
back to the military genre of Givierge, 


F S AMC 
L RMQU 
RTMUK 
VREXZ 


RDNFE 
UXRG Z 
HRDOX 
G U G L A 


Y H L O E 
N B OML 
L A X O D 
B S E S T 


R T X V Z 
N D N P V 
CREEH 
V F N G H 


the De Viaris decryption attack goes as follows: 

Let the probable word be /division/. For the 20 cycles of Bazeries (Fig. 68), 
Figure 111 (a) displays the encryptions of /division/ for the first generatrix. 
Thus, the sets of crypto characters that occur are to be read vertically under 
the plaintext characters /d/, /i/, /v/, /i/, /s/, /i/, /o/, /n/ of /division/ . 

Sliding a paper strip with the cryptotext along these sets, we can decide for 
every position of the probable word whether all the corresponding letters in 
the cryptotext are found among the available ones. For example, this is not 
the case for the following position, adjusted with the fragment FSAMCRDN, 

cl i v i s ion 

F S AMC RDNFE YHLOE RTXVZ 

where only the four letters in boldface type (instead of eight) are found. The 
same is true for the next position, adjusted with the fragment SAMCRDNF, 
cl i v i s i on 

FSAMC RDNFE YHLOE RTXVZ 
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Fig. 111. Encryptions of /division/, (a) 1st generatrix (with FSAMCRDN), 

(b) 4th generatrix (with HLOERTXV) 


where again only the four letters in boldface type (instead of eight) are found. 
For the next but one position, adjusted with the fragment AMCRDNFE, 

cl i v i s i o n 

FSAMC RDNFE YHLOE RTXVZ 
there is also no hit. Continuing in this way, the first generatrix can be 
excluded for all positions of /division/ . 

Now we turn to another generatrix. In Figure 111 (b) encryptions of the word 
/division/ for the fourth generatrix are displayed. Again the sets of crypto 
characters that occur are to be read vertically under the plaintext characters 
/d/, /i/, /v/, ... of /division/. Beginning again from the left, we get a hit 
for the twelfth position with the fragment HLOERTXV for the first time, 

cl i v i s i on 

FSAMC RDNFE YHLOE RTXVZ 
All eight letters (in boldface type) are found among the available ones and 
seven of them just once, and they determine the corresponding alphabet. 
However, for H there is a choice between the first and the eleventh alphabet, 
as Figure 111 shows. 

14.3.2 Warning. At this moment some additional knowledge about the 
system can be made use of. In principle, any alphabet, unrelated or accom¬ 
panying, could be used several times. For VIGENERE encryption steps this 
would be quite normal. Progressive encryption (Sect. 8.4.3) limits this, in or¬ 
der to prevent accumulation of material encrypted with the same alphabet. 
For cylinder and strip devices progressive encryption is systemic; it seems to 
increase security to have each cylinder or strip available only once and thus 
to use it within the period exactly once. But as soon as the alphabets fall 
into the hands of the foe, this is actually a complication illusoire. 
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Under the assumption of progressive encryption, which holds for Bazeries’ 
cylinder, H = d excludes the eleventh alphabet, since this is already need¬ 
ed uniquely for R = s. Thus, so far the order of the cylinders is partly 
determined as follows: 

***** ***** *1354 1113 15 12 * 

Furthermore, to exclude the possibility of a mishit, we investigate whether in 
a distance of 20 characters a meaningful decryption results. For the fragment 
BOMLNDNP the result 

LRMQU UXRGZ NBOML NDNPV 
1354 11131512 


z h p n rmyk 24. 

a i n m a t i n —> 0. 

BOMLNDNP 1. 

c j 1 k d n s q 2 . 

cl k k j b s t t 3. 


shows a convincing decryption /ainmatin/: for this round the first genera¬ 
trix was used. Furthermore, in a distance of 40 characters for the fragment 
AXODCREE the result 

RTMUK HRDOX LAXOD CREEH 


13 5 4 

1113 15 12 


A X O D 

C R E E 

22. 

b z i c 

o e z z 

23. 

c a q b 

u m 1 1 

24. 

cl e p a 

r t a s 

-> 0 . 

e b n z 

a cl j a 

1 . 


produces the convincing decryption /departas/: for this round the 22nd 
generatrix was used. 

The plaintext fragment /departas/ can be supplemented in two ways: to 
/departasixheures/ or to /departaseptheures/. Considering the fact that 
6 o’clock would be rather early, we try /departaseptheures/ as next probable 
word, which is cut into /departase/ and /ptheures/. This last one is treated 
in Figure 112 ; for the third generatrix the encryptions of /ptheures/ are dis¬ 
played. In the position immediately following, with the fragment VREXZGUG 
(chances for a hit are 1:206) there is indeed a genuine hit 
p t h e u res 

VREXZ GUGLA BSEST VFNGH 

which determines the positions of four more, not yet treated cylinders: 

R = t requires the 7th, X = e the 6th, G = r the 10th, G = s the 9th 
cylinder. In Figure 112, the cylinders so far determined are marked. From 
the remaining ones, Z = u requires uniquely the 17th cylinder, while three 
cases are left open: V = p requires the 16th or 20th, E = h the 14th or 18th, 
U = e the 2nd or 8th cylinder. 
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ptheures 

• 1 SXKHYUHV 
2 SZLUCVUX 

•3 QZJDRVDX 
•4 MQEBROBP 
•5 LODHVQHI 

• 6 LQDXENXP 

• 7 JRQDBUDT 
8 DMXULSUV 

•9 VFYLZDLG 

• 10 TAMROGRY 

• 11 YSMTNDTU 

• 12 VFNSDZSC 

• 13 YSPDCTDX 
14 B I E T P A T Y 

• 15 XEOALZAU 

16 VBCGDUGY 

17 UXPOZLOA 

18 TUES CDS I 

19 SABCMXCY 

20 VAKCEYCL 

Fig. 112. Encryptions of /ptheures/ , 3rd generatrix (with VREXZGUG) 


The result is the following distribution of 19 of the total of 20 cylinders: 

^ 7^ 617 Bg 9 * * * 1 3 5 4 1113 15 12 * 

The remaining decryption is a trifling matter: with the 13 cylinders whose 
situation is determined so far, there is a fragmentary decryption 

FSAMC RDNFE YHLOE RTXVZ 

* a * r o i * i * * * d i v i s i o n * 

LRMQU UXRGZ NBOML NDNPV 

* p * r t e * a * * * a i n m at in* 

RTMUK HRDOX LAXOD CREEH 
*r*ei m*s** *depa rtase 

VREXZ GUGLA BSEST VFNGH 
ptheu res** *pxxx xxxx* 

which immediately suggests two further fragments: 

/la troisieme/, /demain/, allowing us to fill all but 
the 20th position, and after that the 20th position, 
too. The complete order of the cylinders, the pass¬ 
word, can be reconstructed: 


16 7 18 6 17 10 8 9 2019 21354 11131512 14 


The complete decryption is (note the patching nulls at the end): 


FSAMC RDNFE YHLOE RTXVZ 
latro isiem edivi sions 

LRMQU UXRGZ NBOML NDNPV 
eport erade mainm at ins 

RTMUK HRDOX LAXOD CREEH 
urrei mssto pdepa rtase 



Marquis de Viaris 
(1847-1901) 


Total probability or hit 

V — V — V — V— V— V — V — 

25 25 25 25 25 25 25 

« 1 : 206 

► {A, B, C, D, G, H, L, O, R, S, T, U, X} 

► {b, c, d, e, j, k, l, m, n, o, p, q, X, y} 

► {b, d, j, l, m, q, s, t, U, V, X, y} 

► {A, d, g, l, n, o, q, s, t, U, V, X, Y, z} 

► {A, C, G, I, L, P, T, U, V, X, Y} 

► {A, B, E, F, I, M, O, Q, R, S, U, X, Z} 

► {A, B, E, F, I, M, O, Q, R, S, U, X, Z} 


VREXZ GUGLA BSEST VFNGH 
ptheu resst opxxx xxxxx 
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14.3.3 Syllables. Even if a probable word is missing, the De Viaris attack 
may work. Following Givierge (1925), frequent bigrams, trigrams, and tetra- 
grams are used. We shall show this for the French and English standard 
ending /ation/. For each generatrix, for each plaintext letter, the sets of 
possible cryptotext letters are prefabricated. Figure 113 shows this for the 
first generatrix. Since the associated sets comprise only roughly half of the 
letters, the danger of mishits is again not too great. 


at ion 


1 B U J P O 

2 E V O U P 

3 E VO J P 

4 Z S H NM 

5 J S Q I M 

6 Z S E I M 

7 L D J N S 

8 V O E Y H 

9 R S J P O 

10 F G E T C 

11 N Z T U D 

12 I V C R P 

13 U D R 1 S 

14 I P B N E 

15 J R N P S 

16 I HMG F 

17 BUENA 

18 BDUMQ 

19 C E J N T 

20 C E J U O 


Total probability of hit 


12 

25 


X 



12 x 
25 X 

1 : 51 


10 

25 


X 


12 

25 


a {B, C, E, F, I, J, L, N, R, U, V, Z} 
t e-> {D, E, G, H, O, P, R, S, U, V, Z} 
i e-> {B, C, E, H, J, M, N, O, Q, R, T, U} 
o i-> {G, I, J, M, N, P, R, T, U, Y} 
n i-> {A, C, D, E, F, H, M, O, P, Q, S, T} 


Fig. 113. Encryptions of /ation/, 1st generatrix 


Methodically, the attack of De Viaris and Friedman and in particular the 
variant of Givierge try to find many small islets which can be enlarged into 
archipelagos, which in turn can be merged into continents, and so on. 

14.3.4 Transitive cryptosystems. As noted above, the general De Viaris 
attack does not presuppose the alphabets to be monocyclic. We can now 
see clearly that both binary coincidence exhaustion (Sect. 14.2) and non¬ 
coincidence exhaustion (Sect. 14.1) are special cases where the cryptotext 
character sets associated with a plaintext character are formed systematically. 
In order to avoid mishits, the smaller the associated crypto character sets are, 
the better for the decryptor. On the other hand, for this reason the general 
De Viaris attack breaks down if each of the associated sets is the full crypto¬ 
text vocabulary. A cryptosystem with this defensive property we shall call 
transitive. Necessarily then the number of alphabets is greater than or equal 
to N. The Bazeries cylinder of 20 disks violated this condition. M-138-A 
from the USA used 30 strips, and it should be expected that the alphabets 
were always selected (out of 50 or 100) to give a transitive cryptosystem. 

If the number of alphabets equals N, then for a transitive MULTIPLEX cryp¬ 
tosystem the alphabets of N characters each form a Latin square (Sect. 7.5.4). 
The 26 alphabets attributed to Mauborgne (Sect. 7.5.4, Table 3) are (almost) 
constructed this way. Equivalently, for each pair of plaintext and cryptotext 
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characters the corresponding key is even uniquely determined. But this is 
just the condition characterizing a Shannon cryptosystem (Sect. 2.6.4). 

14.3.5 Famous French cryptologists. The French Marquis Gaetan Henri 
Leon de Viaris (gallicized di Lesegno) was born on February 13, 1847 at 
Cherbourg, son of a captain of artillery. At age 19, De Viaris entered the 
famous Ecole Poly technique, at age 21 he went to sea; later he became prefect 
of police and finally infantry officer. His interest in cryptology arose around 
1885; he first made his reputation inventing a printing cipher machine. He 
was, after Babbage, the first to use mathematical relations in cryptology, 
namely when characterizing linear substitutions in a series of articles in 1888. 
In 1893 he wrote the cryptanalytic essay L ’ art. de chiffrer et dechiffrer les 
depeches secretes which made him famous. In 1898, he also published a 
commercial code. He died on February 18, 1901. 

Marcel Givierge was Major and assistant to Colonel Cartier when he started 
in 1914, after the outbreak of the First World War, to build up the decryp¬ 
tion bureau of the French General Staff. In 1925, when his book Cours de 
Cryptographic was published, he was Colonel; later he was promoted General. 
Not without pride he remarked that one mot probable was worth quintillions 
of trials. 

Under Givierge worked Major Georges-Jean Painvin, a genius of a decryptor 
who had studied paleontology and after the war became an important tycoon. 

14.3.6 Rohrbach. One of the few cases in the 20th century of an enlight¬ 
ening and open report on successful professional cryptanalysis is due to the 
peculiar situation after the end of the Second World War, when the FIAT Re¬ 
view of German Science was written. In the series on applied mathematics, 
Hans Rohrbach reported on cryptology, and this included details of break¬ 
ing the ‘American Strip Cipher 0-2’, as Rohrbach calls it, a variant of the 
M-138-A for the diplomatic service of the US State Department in Berne, 
Stockholm and Madrid, which was accomplished in the German Sonderdi- 
enst Dahlem of the Auswartiges Amt. In 1979, a quite detailed report, writ¬ 
ten in the second half of 1945, was published for the first time. It comprised 
the work of the mathematicians Werner Kunze, Hans Rohrbach, Anneliese 
Hiinke, Erika Pannwitz, Hansgeorg Krug, Helmut Grunsky, and Klaus Schultz 
—not to forget the linguists Hans-Kurt Muller, Asta Friedrichs, Annemarie 
Schimmel, Joachim Ziegenrucker, and Ottfried Deubner. The work started 
in November 1943 with collecting and sorting a rich legacy of cryptotexts, 
mainly addressed to or sent from the US Embassy in Berne, Switzerland 
(where Allen W. Dulles, Office of Strategic Services (O.S.S.), Chief of the US 
espionage network O.S.S.(S.I.) in Europe, was stationed), which showed 

(1) frequent parallels, including longer ones, but never longer than 30 char¬ 
acters and frequently of length 15, 

(2) frequent parallels between messages of the same day, but never in two 
messages of different days in the same month, 
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(3) no parallels between two messages, if one was before and the other after 
August 1, 1942. 

The conclusion was that after 15, sometimes after 30 characters a change 
in the encryption was made, that the password was changed daily, and that 
on August 1, 1942 a more fundamental change in the encryption system 
was made. This allowed the working hypothesis of a polyalphabetic mono¬ 
graphic encryption of period 15. The encryption system used was unknown 
to Rohrbach, but it was known that the US cryptologists had a liking for 
cylinder and strip ciphers. However, even so, Rohrbach did not have the al¬ 
phabets. It was therefore not possible to start with a plain De Viaris attack. 
Further studies using Hollerith punch card machines showed that 

(4) if the messages were broken into blocks ( ‘Zeilen ’) of 15 characters, all 
repetitions of at least 8 characters appeared vertically in the same columns. 
This confirmed the assumption of a polyalphabetic monographic encryption 
of period 15; moreover from stereotyped repetitions (‘From Murphy’, ‘Strictly 
Confidential’) at the beginning of the messages it could be deduced that 
no letter could represent itself, and that the same plaintext in the same 
position would give cryptotexts without coincidences. This all focused the 
suspicion onto a polyphonic encryption with monocyclic alphabets, as done 
by a cylinder or strip cipher, and not by a machine. Thus, 15 or 30 alphabets 
had to be determined for each day. 

But the legacy was rich, with a daily average of 15 messages, each with 40 
blocks of 15 characters. These blocks had to be grouped in ‘families’ encryp¬ 
ted with the same set of alphabets, presumably selected from a supply of more 
than 15, in the same order. Moreover, the blocks had to be grouped in classes 
according to the generatrix to which they belonged. Once the blocks were 
coordinated in this way, the cryptanalysts dealt with monoalphabetic en¬ 
cryptions. With massive use of Hollerith punch card machines and of special 
equipment built by Krug, the coordination proceeded in small steps of form¬ 
ing ‘nuclei’; for this task they used the Chi test (Chapter 16, Sect. 18.2.5). 
The most voluminous class (‘Class IH’) finally comprised 3000 blocks, grouped 
into 25 families of between 60 and 150 blocks. For the reconstruction of the 
alphabets finally they used the probable word fragments /tion/ and /ation/, 
supported by the bigram triplets /in/, /an/, /on/ and /in/, /an/, /un/ . 
Rohrbach describes vividly the process of crystallization in this task. After 
about one year, the undertaking ran under its own power. Class IH was first 
worked out fully and its 2x15 strips determined. Some of these strips oc¬ 
curred in other classes, too; for example, 18 in Class I. In the end, Rohrbach’s 
group found out that 50 strips altogether had been used—we know today that 
this corresponds to the facts. The classical De Viaris method then gave the 
selection and order of the strips belonging to the daily passwords, of which 
40 were identified. 

Thus, all messages encrypted with ‘0-2’ could be read. To speed it up, Kunze 
even had a semiautomatic device built for the changing of the lines in a search 
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for the right generatrix. Unfortunately for the German side (and for the 
Finns, who also read the US State Department ciphers), fortunately for the 
Anglo-American one, shortly after full use could be made of the results of the 
break, the State Department changed in mid-1944 to the more modern and 
secure SIGTOT machines with individual keys, provided by the US Army. 
By September 1944 the well was dry. Moreover, the efficiency of Sonderdienst 
Dahlem was suffering under Allied bombing. Then, the Russian army came 
closer and closer to its evacuation site in Silesia. Towards the end, it moved 
to a castle in Thuringia, and was transported to Marburg when the Western 
Allies left Thuringia. Meanwhile, the Forschungsamt of the Reichsluftfahrt- 
ministerium, Goring’s eavesdropping agency, was not much better off. 

The Japanese tried also to break the CSP-642, but not very successfully. 
Friedman had armored it against a De Viaris and Givierge attack, and only 
a non-coincidence exhaustion of probable word positions was feasible. How 
well the Russians managed is unknown. 

14.4 Zig-Zag Exhaustion of Probable Word Position 

Some methods use a probable word to reconstruct the key, which is only possi¬ 
ble, of course, if plaintext and cryptotext determine the key uniquely (Shan¬ 
non cryptosystems, Sect. 2.6.4). This is trivially so with monoalphabetic 
encryption, even if polygraphic with a large width. It is also the case with 
polyalphabetic encryptions having a key group (Sect. 9.1.1). Most prominent 
representatives are all linear substitutions, where the key—be it periodic or 
not—can be simply calculated by subtraction provided the alphabetic order is 
known. This possibility was studied in 1846 by Babbage for VIGENERE and 
BEAUFORT encryptions. Among the non-linear substitutions that obey the 
Shannon condition, ALBERTI encryptions and PORTA encryptions bring no 
complications provided the reference alphabets are known. 

It is doubly dangerous to use a meaningful keytext in a common language. 
If for a polyalphabetic Shannon cryptosystem- -periodic or not—the encryp¬ 
tion steps are known, then the possible positions of a probable word in the 
plaintext are those that give reasonable keytext fragments; they can be ex¬ 
haustively determined. 

In this case, however, the role of plaintext and keytext can also be exchanged. 
In a meaningful keytext there is most likely also a probable word that gives 
a reasonable plaintext fragment. 

As an example, we assume the cryptotext 

BAWI S ME WO OPGVRS F I BBTJ TWL H WWA H T MJ V B 

has been encrypted over Z 26 with VIGENERE steps. As a probable word 
in the keytext we assume the frequent word THAT which holds rank 7 in 
the frequency list for English. Exhausting the positions of this word in the 
keytext gives the following fragments of plaintext, 
itwp hpiz dbst plml zfed txwv lpov dhow vhpn ... cltha hatt , 
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among which the eighth, the last but one, and the last one look promising. 
Guessing now that dhow can be continued dlrowevor results in the prolonged 
key fragment THATCANB. The last two fragments dtha and hatt overlap 
and are mutually exclusive, but it will turn out that dtha is the right one. 

On the plaintext side, words can be guessed, too; e.g., should leads to 
JTIOHJ , IPUYBB , EBESTT , QLYKLL , ..., 

where the third position fits. Thus should and dlrowever overlap to form to¬ 
gether slrouldhowevcr , corresponding to EBESTTHATCANB . Extended to 
THEBESTTHATCANBE , this gives a plaintext extension that fits and reads 
itshouldhoweverb , which in turn suggests an extension to itslrouldhowevcrbe 
and so on. 

Such a zig-zag interplay will frequently result in a complete decryption 
(Friedman 1918); in the given example plaintext and keytext read as follows 
(compare the quotations in the introduction to Part II): 

itshoul dhoweverbeemphas izedthatcry 
THEBESTTHATCANBEEXPECTEDISTHATTHED 

Nonperiodic keytext does not prevent zig-zag exhaustion; what matters is 
that both the keytext and the plaintext have clearly more than 50% redun¬ 
dancy. 

14.5 The Method of Isomorphs 

Encryptions based on rotated alphabets also suffer from the defect that the 
alphabets may not form a Latin square. Thus, an avenue of attack is opened. 
14.5.1 Knox and Candela. This can be demonstrated by the method of 
isomorphs for breaking ROTOR encryptions, used as early as 1937 (if not ear¬ 
lier) by Dillwyn Knox in a break of the Italian ENIGMA without plugboard 
and later against Franco in Spain, but described in the open literature 1 only 
in 1946 by Rosario Candela. The method of isomorphs was called rodding 
(‘cliques on the rods’) or methode des batons by the French; its existence was 
the main reason for the introduction (as early as 1930!) of the plugboard 
in the Reichswehr ENIGMA. In the 1936 1939 Spanish Civil War, Italian 
and Franco forces used the ENIGMA without plugboard—the Italian Navy 
even as late as in 1941—and the method of isomorphs, originally discovered 
for the ENIGMA C by Hugh Foss around 1927, served the cryptanalytic ef¬ 
forts of the British (Knox, 1937), the French and, according to Rohrbach, 
the German sides. In 1939, Colonel Tiltman solved the Swiss ENIGMA K. 

Assume the polyalphabetic substitution is of the form (p 7 ; plaintext character, 
Ci cryptotext character) 

1 Knox, in 1938/1939, gave the essence of his experience with the unsteckered ENIGMA 
and his unsuccessful attacks on the Wehrmacht ENIGMA to Turing, who summarized 
in his Treatise on the Enigma (the ‘Prof’s book’, about 1940) the ‘long and complicated 
hand process’ (Mahon) under the heading ‘The Saga’. 
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(*) <k = Pi Si U 5'r 1 

with known alphabets Si, whose order is known, too—the unknown key is 
the starting index of the sequence and possibly U . With the isomorphic 
(Sect. 2.6.3) sequences CiSi and PiSi , i.e., 

CiSi — PiSi * U , 

CiSi is the monoalphabetic image of PiSi under U. 

In general, two arbitrarily chosen sequences are not isomorphic: the sequences 
(alle ...) and (gang ...) are not isomorphs, because, e.g., the pairs (l,a) and 
(l,n), as well as the pairs (a,g) and (e,g), are contradictory (they ‘scritch’). 

Cryptanalysis needs for a given probable word p= (pi,pi + i,.. -Pi+k) a suit¬ 
able index i such that the sequences pS= (piSi,Pi+iSi+i,.. -Pi+kSi+k) and 
cS = ( CiSi , Cj+iSj+i,.. • Ci + kSi + k) are isomorphs. Contradictions lead to an 
exclusion of the index. Among the suitable indexes is certainly the right 
one, if the probable word occurs; the longer the probable word is, the fewer 
mishits are to be expected. 

The precondition (*) above is fulfilled in the case (b°) of Sect. 7.2.2 with 
Si = p~ l . This situation occurs specifically with the commercial machines 
ENIGMA C and ENIGMA D without plugboard, with 3 rotors and fixed or 
movable reflectors (Sect. 7.3.2, where the plugboard T is the identity), with 

Si = S(i lt i 2t i 3 ) =p~ Zl Rn P H ~ l2 Rm P l2 ~ 13 Rl P 13 
as soon as all rotors used are explored—this is so with a commercial ma¬ 
chine anyhow—and their order is known (in the worst case, for a 3-rotor 
ENIGMA there are six orders of the rotors to be tested). Moreover, U is self¬ 
reciprocal in the ENIGMA case; this leads to some further possibilities of 
‘scritching’ and the exclusion of an index, i.e., a rotor position, as well as to a 
positive confirmation of a suitable index by the appearance of a self-reciprocal 
substitution. The possibility of mishits is reduced; the self-reciprocal charac¬ 
ter of the ENIGMA helps the clecryptor. 

Moreover, thanks to the regularity (Sect. 8.4.4) of the ENIGMA rotor move¬ 
ment it is normally not necessary to test all 26 3 = 17576 or 26 4 = 456 976 
rotor alphabets. It usually suffices to consider only the 26 positions of the fast 
rotor Rn lying between two steps of the medium rotor Rm ■ The two other 
rotors remain fixed for the while and form together with U a pseudo-reflector 

u ' = U[ i2 i3) = p~ i2 R m P i2 ~ i3 Rl p 13 ■ U • P ~ i3 R~ L X p l3 ~ %2 R M P i2 • 

With S' = S (il) =p-^ R n p* : dSl = PiSi . U[ i2 . 3) . 

14.5.2 Method. For the practical performance of the method of isomorphs 
there exists again a strip method, the strips (‘rods’) carrying the columns 
of the rotated alphabets. Following an example by Deavours and Kruh, the 
following probable word is to be compared with a fragment of the cryptotext: 

recon nai ssance 
UPYTEJ OJ ZEGBOT 



14-5 The Method of Isomorphs 283 







28^ H Poly alphabetic Case: Probable Words 


The test is to be made with the rotor I of the Wehrmacht ENIGMA, the 
columns are given in Sect. 7.3.5 . Plaintext word and cryptotext fragments are 
formed with the ‘rods’. The confrontation is character by character, as shown 
in Fig. 114. In each line, except the one denoted by the arrow, there are 
contradictions (one of them is always marked by bold type). For example, 
in the first full line, the pairs A Q and H Q as well as B N and D N violate 
injectivity; the pairs R Y and R D violate uniqueness of the encryption step; 
and the pairs X U and U A, U A and A Q, F W and W I, A Q and Q R, 
Q R and R D, H Q and Q R, B N and N G, D N and N G violate the self¬ 
reciprocal property. On the other hand, in the line denoted by the arrow, 
there are the 2-cycles (J U), (M C), (S E) and the self-reciprocal property is 
not even once violated; this single hit gives the following pair of isomorphs: 

j gmgfuhrwcnsew 

UZCZBJ OTAMQES A 

Thus, rotor I is confirmed as ‘fast’ rotor R^ . Moreover, the 14 pairs of entry 
and exit characters define already nine 2-cycles of the pseudo-reflector U'^ ^, 
namely (AW), (BF), (CM), (ES), (GZ), (HO), (JU), (NQ), (RT). The 
method obviously does not require very long probable words. 

From a prefabricated catalogue with 2 x 26 2 = 1352 entries of all U'^ the 
position and order of the two rotors II and III serving for Rm and Rl can 
be determined. With such an indicator setting the decryption can be carried 
through on an ENIGMA replica. The method is characterized as ‘meet in 
the middle’. Switzerland, like other small nations, used ENIGMAs without a 
plugboard (of course with changed rotor wiring) during (and partly after) the 
Second World War (US codename INDIGO). With the help of prefabricated 
catalogues, the Germans thus read all their news. On the British side, Mavis 
Lever was an expert in rodding, she used it in 1940 and 1941 against the 
Italian Navy and was instrumental in helping the British fleet win the battle 
of Matapan. According to Hugh Alexander, Alan Turing even had a machine 
built (the ‘click machine’) for doing the rodding mechanically. It needed 
8-letter cribs. 

14.5.3 Investigation in two parts. The analysis above is based on the 
assumption that the medium rotor Rm , given the shortness of the probable 
word, does not move. If it does, however, then on the hiatus the pseudo¬ 
reflector is changed, and the investigation decomposes into two parts, without 
becoming essentially more difficult. In the Wehrmacht ENIGMA, there is 
even the advantage that the position of the notch and thus the ring-setting 
is disclosed (in the commercial ENIGMA, the notch was fixed to the rotor, 
and for each rotor the position of the notch was known). If there are two 
isomorphic texts {d,p') and (c",p") before and after the hiatus, then some 
2-cycles of the pseudo-reflector U'- 1 ’ before and some 2-cycles of the pseudo¬ 
reflector tjdb after the hiatus are known; this helps to find the position and 
order of the medium rotor Rm ■ For U! ■ , this reduces the volume of the 

catalogue to 2 x 26 2 = 1352 entries. All this is within easy reach. 
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An example (Deavours 1980) may illustrate this: We seek to investigate the 
following pair of a (rather long) probable word and a cryptotext fragment: 

general fel dmarschal 1 kessel ri ng 
LZHXBTFWUI OVBCARXSNCVZYXNEHFWB 

We assume that the investigation of the fragment general at the key 
letters Q ...Whas given a hit and two isomorphs, which can be continued 
for the key letters X, Y, Z (but not any further) and completed in this way 
reads 

exovl yl xru 
MRHF DTDRXG 

i.e., the 2-cycles (E M), (R X), (H O), (F V), (D L), (T Y), (G U) are parts 
of U ^ . The remaining text is to be linked up with key letters A ... J, which 
turns out indeed to give a hit and yields the two isomorphs 

bclaqrwrl j bspf qcobooz 
NRWXDADJ LNMYHXI ENEET 

and the 2-cycles (B N), (D R), (A W), (Q X), (J L), (S M), (P Y), (F H), 
(C I), (E O), (T Z) as parts of U^ . The two sets have in common the 
eleven characters D, E, F, H, L, M, O, R, T, X, Y . 

For the rotor that is supposed to be the medium rotor the following table of 
rotated P-alphabets is assumed: 

abcdefghijklmnopqrstuvwxyz 
A LWFTBAXJDSCKP RZQYOEHUGM IVN 
B OMXGUCBYKETDL QSARZPFIVHNJW 
C XPNYHVD CZLFU E MRT B SAQG J W I OK 
D LYQOZ IWEDAMGV FNSUCTBRHKXJ P 

For the eleven common characters D, E, F, H, L, M, O, R, T, X, Y there result 
the following tables of U ^ and U^ images: 
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Comparing now A of IJA) and B of U^ 2 \ we find the common letter 
Z in the line A under h, in the line B under cl: 

abcdefghijklmnopqrstuvwxyz 
A KPGZ TBJ IV OH 

B ZSYC EPU GW RA 
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However, in the corresponding cutting from the table of rotated P-alphabets 

abcdefghijklmnopqrstuvwxyz 
A LWFTBAXJDSCK P RZQYOEHUGM I VN 
B OMXGUCBYKETDL QSARZPFIVHNJW 
isomorphism is violated. Thus, this rotor position ‘scritches’. 

Comparing on the other hand B of U ^ and C of U O , one finds 
the letter L in the line B under e, in the line C under 1, 

the letter V in the line B under f, in the line C under h, 

the letter S in the line B under h, in the line C under cl, 

the letter Y in the line B under o, in the line C under r : 

abcdefghijklmnopqrstuvwxyz 
B DLVS GUY NJ ZF 

C SRC V LAH YK BT 

Compared with the corresponding cutting from the table of rotated P-alpha¬ 
bets, 

abcdefghijklmnopqrstuvwxyz 
B OMXGUCBYKETDLQSARZPFIVHNJW 
C XPNYHVDCZLFU E MRTBSAQG J W I OK 

there is agreement in all cases (with Y for S, U for L, C for V, S for Y). Thus, 
we have an isomorphism and this rotor position is a hit; the characterizing 
position of the notch of the medium rotor is found. Practically, this deter¬ 
mination of the rotor position can also be performed with rods carrying the 
lines of the table of rotated P-alphabets. 

14.5.4 Pluggable reflector. A variant of the method allows one to 
determine all 2-cycles of an unknown reflector U. This became necessary 
for the Allies, when in early 1944 the Germans from time to time used a 
‘pluggable’ reflector in the Luftwaffen-FINIGMA (see Sect. 7.3.3). Now, the 
method of isomorphs is carried through for all 26 3 = 17 576 initial indexes, 
with suitable probable words. This was not feasible manually and required 
special machines. The relay machine AUTOSCRITCHER (workable 1944) 
and the electronic machine SUPERSCRITCHER (workable 1946) 2 were built 
in the USA by the F Branch of the Army Signal Security Agency under the 
command of Colonel Leo Rosen. 

14.5.5 Opposing the steckering. The plugboard ruins the method of 
isomorphs, because the unknown plugboard connection (‘steckering’) veils 
the probable plaintext word. Now, it is necessary to find repeated pairs of 

2 Scritch is a dialect variant of screech. In the open literature, the words scritch, scritchmus 
were used without detailed explanation, e.g., by Derek Taunt (1993) when describing 
the atmosphere of the work at Bletchley Park with reference to the duties of Dennis 
Babbage, mentioning also the pluggable reflector. The origin of the term is therefore 
to be sought in Britain. David J. Crawford and Philip E. Fox reported in 1992 that 
they built the AUTOSCRITCHER and SUPERSCRITCHER, but were not informed 
about the cryptanalytic background. Recent work by Cipher A. Deavours (1995) has 
established the connection with the method of isomorphs. 
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plaintext and corresponding cryptotext characters. Each group of such pairs 
is mapped under the plugboard substitution into a group of corresponding 
characters from two isomorphs. Isomorphism requires that the groups are not 
split when all rotor positions are tested. The machines AUTOSCRITCHER 
and SUPERSCRITCHER were designed to carry out this task, too. The US 
Navy’s DUENNA and the British GIANT were related. 

A manual procedure (‘Hand-Duenna’) was described in 1944 by C.H. O’D. 
Alexander (now contained in the ‘Fried Reports’ of the U.S. Army liaison). 


14.6 A Clever Brute-Force Method: EINSing 


For progressive polyalphabetic encryption with a known sequence of known 
alphabets, all that is needed is to bring the alphabets in phase with the 
cipher text. For not too long periods, this can be easily mechanized by 
prefabricating a catalog with the cryptotext equivalents of a very frequent 
short word, like in German /der/, /und/, /die/, etc., or a word often used 
in the circumstances, like the German numeral /eins/. For example, the 26 
positions of the single rotor I of the Wehrmacht ENIGMA (see Sect. 7.3.12) 
encipher /eins/ as follows: 
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For the 

cryptotext 

fragment UYPMMBMDYLVWBHZB, 

four 

-letter 

groups a 


are to be looked up successively in the catalogue and there is at the thir¬ 
teenth trial the hit LVWB with key letter M. Entering the complete 
cryptotext fragment UYPMMBMDYLVWBHZB into the table of rotated al¬ 
phabets in Sect. 7.3.12 (Fig. 115) reveals the plaintext which turns out to 
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read /nummerzwoeinsaqt/; the surrounding of /eins/ makes sense and thus 
gives confirmation. 

The method was applied by Turing for the 17576 rotor positions of the 3-rotor 
plus reflector Wehrmacht ENIGMA to decipher the remaining signals of a 
day, after one signal was broken and thus the wheel order and steckering of 
this day were known. 

Turing had chosen /eins/ as a probable word when he found in his deci¬ 
phered naval traffic of five days in November 1938 that /eins/ occurecl in 
about 90% of all messages. Another test word used was /krkr/, indicating 
a priority message. The British started in 1940 using this method, called 
EINSing, and finally even machines, the ‘drag grenades’, for mechanizing it 
were built by the US Navy, allowing arbitrary cribs of four letters or less, e.g., 
frequent words like /der/ or /und/, and also camouflaged priority tokens, 
like /bine/ or /muke/. 
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Fig. 115. Method of EINSing for decrypting UYPMMBMDYLVWBHZB 


14.7 Covert Plaintext-Cryptotext Compromise 

The probable word methods have the aim of recovering the plaintext. A 
plaintext-cryptotext compromise does not need this, although in fortunate 
cases it gives the chance to recover the key and thus far more than just 
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one plaintext. Technically, all methods that work for probable words are 
applicable, and comfortably long words can be chosen. 

It can be suspected (or hoped—depending on what side one takes) that direct 
plaintext-cryptotext compromises 3 are not too frequent. But there are indi¬ 
rect ones, where the plaintext has been obtained by decryption and one is now 
confronted with a cryptotext obtained by encryption of the same plaintext 
with another cryptosystem. There are many kinds of negligence and stupid¬ 
ity that can lead to such a situation, which starts out as a harmless-looking 
cryptotext-cryptotext compromise. 

There is an immense number of possible ways that such a compromise can 
occur. One can be found in the organizational problems of key supply. A radi¬ 
cal change in the cryptosystem cannot always be carried through smoothly 
and it may happen that a message, still sent in the old key, is repeated in 
the new key. How serious this danger is can be judged from the proverb: 
“The risk that a cryptosystem is broken is never greater than at the end of 
its lifetime.” Erich Hiittenhain reported that between 1942 and September 
1944 a number of so-called CQ signals (‘call to quarters’, signals of general 
interest), sent from the State Department in Washington to its diplomatic 
outposts, were read by the Germans. The CQ strip sets for the M-138 were 
identical for all embassies. Thus, once the cipher was broken, a compromise 
was almost bound to happen when a transition to new strip sets was made. 
Moreover, for many methods used in practice, as soon as the system is 
known a plaintext-cryptotext compromise is particularly dangerous because 
even the key is exposed and thus a deep break into the cryptosystem is 
possible. Hiittenhain concluded in retrospect (1978) that no encryption 
method should be used that is susceptible to plaintext-cryptotext compro¬ 
mise („Es diirfen also keine Chiffrierverfahren verwendet werden, die gegen 
Klar-Geheim-Kompromisse anfallig sind“). In combination with Kerckhoffs’ 
maxim, Hiittenhain’s maxim excludes many beloved classical cryptosystems; 
it excludes all those having the Shannon property (see Sect. 2.6.4). 

Errors are bound to happen everywhere. Kahn remarked to this “the Ger¬ 
mans had no monopoly on cryptographic failure. In this respect the British 
were just as illogical as the Germans”. He could have added ‘the Americans’. 


3 The verb ‘to compromise’ means, according to Merriam-Webster’s, among other things 
‘to put in jeopardy, to endanger by some act that cannot be recalled, to expose to some 
mischief’. In cryptology, the use of the word ‘compromise’ has this particular flavor. 
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Anatomy of Language: Frequencies 


We can only say that the decryptment 
of any cipher even the simplest will at times 
include a number of wonderings. 
Helen Fouche Gaines 1939 

Decryption as discussed so far, based on patterns, uses the common skeleton 
of the language underlying the plaintext. The decryption strategy to be 
discussed now uses the internal organs, different from one natural language 
to another. It aims at the stochastic laws of the language, particularly at 
character and multigram frequencies. This aspect of cryptography goes back 
to a manuscript of the Arab philosopher Jaakub Ibn Ishak al-KindT (about 
800-870) and was published by Leone Battista Alberti (De Cifris, 1466). A 
theoretical explanation of the stability of character frequency goes back to 
Ferdinand de Saussure (1857 -1913), published in 1916. 

First of all, there is the obvious 

Invariance Theorem 2: For all simple transpositions, 
frequencies of the individual characters in the text are invariant. 

15.1 Exclusion of Encryption Methods 

Theorem 2 can be used negatively to exclude transpositions—namely if the 
cryptotext shows individual character frequencies which are definitely not 
those of the presumed language of the plaintext. But caution is also advised. 
For example, data on technical measurements may well have frequencies dif¬ 
ferent from those of usual natural languages. 

15.1.1 An example. The cryptotext 

FDRJN UHVXX URDMD SKVSO PJRKZ DYFZJ 

XGSRR VTQYR WD ARW DFVRK VDRKV TDFSZ 

ZDYFR DNNVO VTSXS A WV Z R 

shows R, D, V, S as the most frequent characters, while B, C, E, I, L are 
very rare, indeed they are missing. It cannot be obtained from an English, 
German, French, or Italian plaintext by transposition. In fact, it is a simple 
substitution, see Sect. 13.3.1. 

15.1.2 A counterexample. On the other hand, it cannot be excluded 
that the cryptotext (Sect. 12.5, Table 7) 

SAEWS HRCNU ODKLN ELIAS HNCIO NBNNA 

AKI HM CWNZ A MCGI M IHEEN NAUFK NNCTI 

T I HMD RTEWO ATAIM TALKB UEAFZ LNUSE 

A S D E N 
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with E and T among the most frequent individual characters and with V, P, J, 
Q, X and Y missing originated from transposition of a German text. 

15.1.3 Plausible reasoning. Theorem 2 is also used (logically inadmissi- 
bly) in the sense of plausible reasoning: If the frequency distribution of the in¬ 
dividual characters is that of some natural language, then presumably trans¬ 
position has happened. The naive argument is: What else—which other pro¬ 
cedure would leave invariant the frequency distribution of the individual char¬ 
acters? This may be plausible if one is sure that nobody would have taken the 
trouble to devise an encryption completely different from transposition, which 
leaves the frequency distribution invariant, but this is no proof and a judge¬ 
ment could not be based on it. In fact, a homophonic poly graphic substitu¬ 
tion, say a code, can easily be made to imitate prescribed character frequen¬ 
cies. W. B. Homan described in 1948 a coding method that gives all characters 
equal frequencies (‘equifrequency cipher’). The same is achieved with strad¬ 
dling by Shannon’s and Huffman’s redundancy-eliminating ‘optimal’ coding. 

Such tricks, however, will not dupe the professional unauthorized decryptor 
for long. Nevertheless, in 1892 the great Bazeries, attempting to break a 
message seized from a group of French anarchists, was delayed for a fortnight 
because he was misled by six nulls adjoined to the beginning and to the 
end, and by several rare letters sprinkled into the message. In fact, it was 
a VIGENERE with period 6, otherwise a triviality for Etienne Bazeries. 
It may have been a mistake to adjoin just as many letters as the period 
was, but maybe he could not imagine such a stupidity. Part of the deadly 
message, by the way, read: La femme et lui sont des mouchards, s ’il m ’arrive 
quelque chose, songe a les supprimer [He and the woman are spies; if anything 
happens to me, take care to let them disappear]. 

15.2 Invariance of Partitions 

Partitions are to this chapter what patterns were to Chapter 13: the abstract 
vehicle for the invariance of frequencies. A partition is a decomposition of a 
natural number M into a sum of natural numbers m,, 

M = mi + m 2 + m 3 + ... + rajv . 

To every text of length M there belongs a partition of M, namely the number 
of occurrences of the N individual characters in the text with the vocabulary 
Zjy ■ Zeros are usually suppressed, thus the text /monoalphabetic/ 
has the partition 14 — 2 —t—2—F1 —t— 1—F1—F1—P1—(— 1—P1 —P1 —F1 —P1 . 

Therefore, we speak of a partition of the number of characters in the text. 
There is a fundamental theorem parallel to Theorem 1 (Sect. 13.1): 

Invariance Theorem 3: For all monoalphabetic, functional simple 
substitutions, especially for all monoalphabetic linear simple substitu¬ 
tions (including CAESAR additions and reversals), 
partitions of the individual characters in the text are invariant. 
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The monoalphabetic encryption of the text /wintersemester/ by functional 
simple substitutions, whatever they may be, consists of 4 specimens of some 
character, 2 specimens of some other character, 2 specimens of some third 
character and so on. The partition is 4+2+2+2+1+1+1+1 and is invariant. 

Given the encryption 

Z L Q WH U V H P H V WH U 


and assuming that the unauthorized decryptor knows the frequencies of cer¬ 
tain plaintext letters, namely /e/ four times, /r/ twice, /s/ twice, /t/ twice, 
/i/ once, /m/ once, /n/ once, /w/ once, then he would know that 
H = e, {UVW} = {r s t} , {LPQZ} = {i m n w} . 
and has a polyphonic decryption (bold-faced letters) 


m m m 
n n n 5 

WWW 1 


r r 1 r r 

m 

6 s s e ess 

t t i t t 


r 

e s 
t 


In fact, the unauthorized decryptor knows a little bit less, for he knows 
the frequencies of all the plaintext letters only approximately. According 
to the inherent rules of a language, each character \i appears only with a 
certain probability pi (from a ‘stochastic source’ Q), such that the frequency 
m i = Q[Xi] of its occurrence is close to M ■ pi , with M = E f^mi. 



Fig. 116. Frequency profile, English language 



Fig. 117. Frequency profile, German language 
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15.3 Intuitive Method: Frequency Profile 

To arrive at an intuitive method of decrypting monoalphabetic substitutions, 
it is recommended to visualize the ‘frequency profile’ of the language under 
consideration. 

In the English language (Fig. 116), the frequency profile shows a marked e- 
peak and a somewhat smaller a-peak. There is also the marked elevation, of 
the r-s-t ridge, and two smaller ones, the 1-m-n-o ridge and the h-i ridge. 

In the German language (Fig. 117), the frequency profile is rather similar, 
but the e-peak is more marked, there is a wider r-s-t-u ridge, and a wider 
f-g-h-i ridge. Both languages show a j-k depression and a p-q depression and 
a very marked v-w-x-y-z lowland. 

The discrepancies between any of the major European languages, like French, 
Italian, or Spanish, are no greater than those between English and German. 
In the Romance languages, the a-peak is more marked and there is an isolated 
i-peak. At a glance, they are rather alike. 

15.3.1 CAESAR. For a transposition, a frequency count gives a profile 
close to that of the language under consideration. But also a monoalphabetic 
simple linear substitution (see Sect. 5.5) with h— 1, a CAESAR addition, is 
detected at first glance: 

Invariance Theorem 4: For all CAESAR additions, 
the frequency profile of the text is simply cyclically shifted. 


The cryptotext of M = 349 characters 


H 

V 

Z 

D 

U 

V 

F 

K 

R 

Q 

G 

X 

Q 

N 

H 

O 

D 

O 

V 

L 

F 

K 

L 

Q 

E 

R 

Q Q 

D 

Q 

N 

D 

P 

L 

F 

K 

C 

Z 

D 

Q 

J 

p 

L 

F 

K 

P 

H 

L 

Q 

H 

D 

Q 

N 

X 

Q 

I 

WQ 

L 

F 

K 

WP 

L 

W 

G 
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X 

WR 
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H 

Q 

C 

X O 

D 

V 

V 

H 

Q 

G 

L 

H 

V 
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F 
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L 

Q 

I 

X 

H 

Q 

I 

MD 

H 

K 

U 

L 
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H 

P 

X Q 

WH 

u 

Z 

H 

J 

V 

V 

H 

L 
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K 

H 

u 

D 

X 
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J 

H 

E 
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O 
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WK 

D 

WE D 
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wu 
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L 

Q 
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Q 












has the frequency profile shown in Fig. 118. Obviously, the encryption is a 
CAESAR addition with a shift by 3 . (The decrypted text is from a novel by 
Heinrich Boll.) 

15.3.2 Warning. But note that Theorem 4 cannot be reversed: A cycli¬ 
cally shifted frequency profile is compatible with a composition of a transpo¬ 
sition and a CAESAR addition. 
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ABCDEFGHI J KL MNOPQRS TUVWX Y Z 
Fig. 118. Frequency profile for the cryptotext Boll of Sect. 15.3.1 


15.3.3 Another warning. The method may be misleading under excep¬ 
tional circumstances, e.g., with the following cryptotext of 175 characters: 


V Q P O U 
I P X B C 
GKOEB 
S MT P G 
El B Q Q 
E S B X O 


TKTKB 
V O D I P 
D I B N Q 
I K T P X 
ZKOEK 
U P I K N 


I K T C B 
G C S K H 
IiPOBN 
O B N B O 
WK E V B 
B T K T B 


NHPKO 
I U Z P V 
BOXKU 
P G T P E 
MK U Z U 
G MZ U P 


H U P T I 
O H G P M 
I C P Z T 
P N K 0 U 
I B U Z P 
B T V H B 


P X Z P V 
L T E K E 
B O E H K 
KOHBO 
V U I K T 
S C P X M 


The frequency profile (Fig. 119) shows a considerable deviation from that 
in Figs. 116 or 117. One could think of an exotic language. The suspicion 
that the encryption is also a CAESAR addition (over Z 25 ) with a shift by 1: 

“upon this basis i am going to show you ”—is raised by the strip method 

of Sect. 12.7, which already gives ‘upon’ for the first four characters without 
reasonable doubt. The breakdown of the frequency-oriented intuitive method 
comes from the fact that the frequencies of the characters are distorted: the 
text is a lipogram taken from Gadsby (see Sect. 13.3.2, Fig. 102). 



ABCDEFGHI KLMNOPQRS TUVWX Y Z 
Fig. 119. Frequency profile for the cryptotext of Sect. 15.3.3 


15.4 Frequency Ordering 

For a monoalphabetic simple linear substitution with h = — 1 (especially 
for a reversal) the frequency profile is simply right-left reflected. For values 
of h different from 1 and —1 and for non-linear simple substitutions, the 
frequency profile is useless: the letter neighborhoods are torn. Naive intuition 
uses the frequency ordering in this case: The most frequent character in the 
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cryptotext should correspond to the most frequent letter of the language 
under consideration. After removing this cryptotext and plaintext character 
pair, the procedure is repeated until all characters are exhausted and all the 
encryption steps are established. 

15.4.1 Drawbacks of frequency ordering. Theoretically, the method 
should work, at least for sufficiently long texts—sufficiently long would mean 
that the few lipograms that may exist would also be submerged in the mass of 
‘normal’ texts. But the example given in Sect. 15.2, leading to a polyphonic 
situation even if the true frequencies of the plaintext letters are known, shows 
a fundamental limitation of this procedure: There may be cryptotext letters 
of the same frequency, and the choice is then non-deterministic. 

Moreover, even long texts normally show considerable fluctuations of char¬ 
acter frequencies. ‘The’ frequency distribution of English is a fiction, and 
at best the military, diplomatic, commercial, or literary sublanguages show 
some homogeneity; indeed even the same person may speak a different lan¬ 
guage depending on the circumstances. Correspondingly, statistics on letter 
frequencies in different languages are quite variable. Moreover, most of the 
older counts were based on texts of only 10 000 or fewer letters. For the 
frequency ordering there are already great differences in the literature: 

For the English language: 

eaoidhnrstuycfglmwbkpqxz (E. A. Poe 1843) 
etaoinshrdlucmfwypvbgkqjxz (O. Mergenthaler 1884) 
etoanirshdlcfumpywgbvkxjqz (P. Valerio 1893) 
etaonisrhldcupfmwybgvkqxjz (H. F. Gaines, O.P. Meaker 1939) 
etoanirshdlcwumfygpbvkxqjz (L. D. Smith 1943) 
etoanirshdlufcmpywgbvkxzjq (L. Sacco 1951) 
etaonirshdlucmpfywgbvjkqxz (D.Kahn 1967) 
etaonrishdlfcmugpywbvkxjqz (A. G. Konheim 1981) 
etaoinsrhldcumfpgwybvkxjqz (C. H. Meyer, S. M. Matyas 1982) 

For the French language: 

eusranilotdpmcbvghxqfjyzkw (Ch. Vesin de Romanini 1840) 
ensautorilcdvpmqfgbhxyjzkx (F. W. Kasiski 1863) 
esriantouldmcpvfqgxjbhzykw (A. Kerckhoffs 1883) 
easintrulodcpmvqfgblrjxyzkw (G.de Viaris 1893) 
enairstuoldcmpvfbgqhxjyzkw (P. Valerio 1893, M. Givierge 1925) 
eaistnrulodmpcvqgbfjhzxykw (H. F. Gaines 1939) 
etainroshdlcfumgpwbyvkqxjz (Ch. Eyraud 1953) 

For the German language: 

enrisdutaghlobmfzkcwvjpqxy (Ch. Vesin de Romanini 1840) 
enirsahtudlcgmwfbozkpjvqxy (F. W. Kasiski 1863) 
enirstudahgolbmfzcwkvpjqxy (E. B. Fleissner von Wostrowitz 1881) 
enritsduahlcgozmbwfkvpjqxy (P. Valerio 1893) 
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enrisatdhulcgmobzwfkvpjyqx (F. W. Kaeding 1898) 
enritsduahlcgozmbwfkvpjyqx (M. Givierge 1925) 
enirstudahgolbmfczwkvpjqxy (A. Figl 1926) 
enirsadtugholbmcfwzkvpjyqx (H. F. Gaines, J.Arthold 1939) 
enristudahglocmbzfwkvpjqxy (L.D. Smith 1943) 
enritsudahlcgozmbwfkvpjqxy (L. Sacco 1951) 
enisrtahduglcofmbwkzvpjyqx (Ch. Eyraud 1953) 
enisratduhglcmwobfzkvpjqxy (W. Jensen 1955) 
enisratdhulcgmobwfkzpvjyxq (A. Beutelspacher 1987) 
enirsatdhulgocmbfwkzpvjyxq (F. L. Bauer 1993, SZ3-92) 

Reliable figures for Italian, Spanish, Dutch, and Latin can be found in the 
book by Andre Lange and E.-A. Soudart, 1925. 

For the first dozen or so letters there exist pretty mnemonic strophes, like 

English: etaoinshrdlu (LINOTYPE) 

French: esarintulo (Bazeries, Givierge) 

German: enirstaduhl (Hiittenliain) 

Italian: eiaorlnts (Sacco) 

The frequency distribution in English was reflected already in the length 
of the Morse code symbols of telegraphy—Morse counted the letters in the 
type-case of a printer’s shop in Philadelphia and found: 12000 /e/, 9000 /t/, 
8000 /a/, /i/, /n/, /o/, /s/, 6400 /h/. For technical reasons, the frequency 
distribution of letters in English also influenced the arrangement on the key¬ 
board of the type-setting machine LINOTYPE (Figure 120) of Ottmar Mer- 
genthaler (1854-1899). 



15.4.2 Frequency counts. For the German language, in 1898 the stenog¬ 
rapher F. W. Kaeding (1843-1934) made an extensive frequency count. For 
the purpose of stenography he studied texts comprising altogether 20 million 
syllables and thus had 62 069 452 letters (with a, 6, ii replaced by ae, oe, ue). 
We can presume that this count is large enough to avoid bias. 
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The frequency ordering mentioned above is based on this count. If we con¬ 
fronted it with the frequency ordering for the cryptotext Boll in Sect. 15.3.1 
(Fig. 118), putting letters with the same frequency in alphabetic order, we 
obtain the decryption table 

54 41 36 24 23 22 21 19 18 10 10 10 9 9 9 8 8 5 4 4 3 1 1 0 0 0 

HQDWLVKUXFJ PEGI NOCS ZRAMBTY 
e n r i s a t d h u 1 cgmobzwfkvpj y q x . 

Decrypting the beginning of the cryptotext Boll, 

HVZDU VFKRQ GXQNH ODOVL FKLQE RQQDQ 

with this table produces a totally unacceptable plaintext: 
e a k r cl a u t v n mhnbe z r z a s u t s n g v n n r n . 

Taking the cryptotext letters of equal frequency in a different order does not 
improve the situation. In fact, the decryption table is obtained by counting 
backwards three letters and reads 

HQDWLVKUXFJ PEGI NOCS ZRAMBTY 
e n a t i shrucgmbdfkl z p w o x j y q v , 

so the true decryption has only e and n correct and reads 
eswar schon clunke lalsi chi n b onnan. 

15.5 Cliques and Matching of Partitions 

Figure 121 shows that in the example above the true frequency ordering dif¬ 
fers considerably from the one based theoretically on probabilities: there are 
local permutations, where /r/ and /v/ jump by 5 positions, and /d/, /l/, 
and /o/ by 6. Others jump only by one or two—but whether large or small, 
every crossover ruins the right association of plaintext and cryptotext char¬ 
acters. Only a few letters—among others /e/ and /n/—are paired correctly. 
Certainly, the shortness of the cryptotext Boll is responsible for fluctuations, 
but not completely, as we shall see in a moment. 


enati shrucgmbdfkl zpwoxj yqv 



enri satclhul cgmobzwfkvpj yqx 


Fig. 121. Confrontation between observed frequencies and probability based frequencies 

There is no fully automatic decryption on the basis of frequency ordering. 
The reason is that even longer texts show fluctuations, and the empirically 
determined probabilities fluctuate as well. This leads to crossovers in the 
frequency order. 
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A .. A.A. 


eni rsatdhul gocmbfwkzpvj yxq 


100 


i; 


1 ! * i | 
• * 


! 1 1 1 ■. ■ i i , 




eni rsatdhul gocmbfwkzpvj yxq 


I 


1000 


I i 


I I 


1 1 t r I I 


s t 


• i i 


eni rsatdhul gocmbfwkzpvj yxq 


10 000 


i i 


i. 


eni rsatdhul gocmbfwkzpvj yxq 


100 000 


Fig. 122. Fluctuations of the frequency of the individual letters in newspaper German 
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15.5.1 Fluctuations. In fact, not only the frequency order, but also the 
individual frequencies given in the literature show deviations. We therefore 
investigated the fluctuations that are to be expected in German texts of 
100, 1000, 10 000, and 100 000 characters. A typical result is given in Figure 
122 (the dotted line gives the mean frequency). The text basis of 681972 
characters was a collection of all political commentaries taken from a daily 
newspaper in March 1992 (henceforth called SZ3-92). It clearly shows the 
overlapping of the fluctuation regions and how it decreases, the longer the 
text is. The fluctuation itself decreases roughly with the square root of the 
length of the text, as Figure 123 shows for the letter /e/. 


100 1000 10000 100000 681972 

Fig. 123. Fluctuations of the frequency of the letter /e/ in German 
depending on the length of the text 

Specifically, we made the experiment of confronting the frequency order of 
Meyer-Matyas (Sect. 15.4.1) with a rather long English text of 29 272 char¬ 
acters (taken from this book), whose letter frequencies are given in Fig. 124. 

3879 2697 2240 2151 2133 2082 1910 1907 1415 1095 1035 995 780 

etanoirshdlcm 
765 719 687 620 551 469 404 277 230 101 55 45 30 

uf pygwbvkxzqj 

Fig. 124. Frequency distribution in an English text of 29 272 characters 

Figure 125 shows the resulting confrontation. There are fewer crossovers, but 
there are still some. We could not expect, even for a 100 000-letter crypto¬ 
gram, to make substitutions by simply following a good frequency table and 
be absolutely sure of coming out with the correct solution. 


et anoi r s hell emuf pygwbvkxzqj 



etaoi nsrhl dcumfpgwybvkxj qz 


Fig. 125. Confrontation between (above) observed frequencies in an English text 

of 29 272 characters and (below) probability-based frequencies (Meyer-Matyas) 
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If the long English text is subjected to a simple substitution and then de¬ 
crypted by means of a confrontation of the observed and the probability-based 
frequency orderings, a fragment of it reads as follows: 


i v e s t h e 
e 1 a t s e a 
n t e s a t m 
s u a d d g r 
a f e y u a x 


c e o t m s n 
r m s g i f e 
s e r h i y r 
c a t t e s e 
n u r f i s c 


e r c s g p t 
x p e s n e o 
t h n r t h e 
1 c a o b e c 
s g p t i w s 


i d i w g h a r 
cereveot 
reexpesn 
i o c e o t s a 
a p h n c y i s 


c i d d e c t 
h e i p e o d 
e o c e r o i 
t e 1 n o t i 
k n o p a s t 


It cannot be read fluently, and only after fixing an irritating 3-cycle between 
/i/, /o/, and /n/, and a 2-cycle between /r/ and /s/, can it serve as a rough 
decrypt. The true text (see the beginning of Sect. 11.2) is: 

overthecenturiescryptologyhas col lect 
edatreasuryofexper iencesevent heopenl 
i teratureshowsthi stheseexper i e ncesno 
rmal lyscatteredcanbeconcentrat edinto 
afewmaximsforcryptographicwork inpart 


15.5.2 Cliques. Rather than working with a frequency ordering of char¬ 
acters, it is preferable to work with an ordering of ‘equifrequency’ cliques of 
characters that are hard to separate on account of their frequencies. 

For the English language there is a decomposition of the set of letters into 
cliques, essentially given by Laurence Dwight Smith in 1943: 

{etaoin} {srh} {Id} {cumfpgwyb} {vk} {xjqz} , 

or somewhat more finely decomposed, 

{e} {t} {aoin} {srh} {Id} {cumf} {pgwyb} {vk} {xjqz} , 

which can be further decomposed for long and ‘normal’ texts into 

{e} {t} {ao} {in} {srh} {Id} {cu} {mf} {pgwy} {b} {v} {k} {xjqz} . 

For the German language too there exists a decomposition of the set of letters 
into cliques, essentially given by Andre Lange and E.-A. Soudart in 1925: 

{e} {nirsatdhu} {lgocmbfwkz} {pvjyxq} , 

or somewhat more finely decomposed, as clearly suggested by Figure 122 
{e} {n} {irsat} {dhu} {lgocm} {bfwkz} {pv} {jyxq} , 
which can be further decomposed for long and ‘normal’ texts into 
{e} {n} {ir} {sat} {dhu} {lgo} {cm} {bfwkz} {pv} {jyxq} . 

With interactive computer support, an exhaustive procedure is indicated, 
which treats the cliques one after another. In particular, if the decomposition 
is fine enough to allow cliques of two or three elements, the exhaustive effort 
is feasible. 
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{e} {t} {a} {noi} {rs} {h} {dl} {c} {mufp} {ygw} {b} {v} {k} {xzqj} 


{ e l {t} {aoin} {srh} {Id} {cumf} {pgwyb} {vk} {xjqz} 
Fig. 126. Confrontation of the cliques 


For the example of the long English text (Fig. 125), the actual clique and 
below one of the standard cliques from above are confronted in Figure 126 . 
In this case, the rough decryption was still rather good because the cliques 
did not overlap too much and there was a clear gap between /a/ and /n/, 
between /s/ and /h/, and between /c/ and /m/. In such cases only a few 
exhaustive trials are necessary. 

15.5.3 Example. For the short cryptotext Boll of Sect. 15.3.1 with the fre¬ 
quencies in Figure 118 no such fine decomposition into cliques will work. 

54 H and 41 Q suggest H = e and Q = n, but in view of the next frequencies 
36 D, 24 W, 23 L, 22 V, and 21 K, it cannot be expected that the cliques {ir} 
and {sat} are separated. But D is well separated and it looks tempting to set 
D= i. This would leave {rsat} confronted with {WLVK}, which means 4!=24 
trials. Unfortunately, none of these give reasonable texts. In fact, the next 
two frequencies 19 U and 18 X are so close that a crossing-over into the clique 
{dhu} might be responsible. This would mean that 81 = 40 320 trials were to 
be made, which is outside the reach of exhaustion. 

{h} {Q} {D} {luvwkx} {gojfpein} {rzcs} {ymbat} 


{e} {n} {ir} {sat} {dhu} {lgo} {cm} {bfwkz} {pv} {jyxq} 
Fig. 127. Confrontation of the cliques for the cryptotext Boll of Sect. 15.3.1 


Figure 127 shows the confrontation of the cliques. Obviously, for short texts 
mechanical decryption on the basis of individual letter frequencies does not 
work. At least, other stochastic peculiarities of language must be taken into 
account, like bigram frequencies. This will be studied in Sect. 15.7. 

15.5.4 Empirical frequencies. For the English language, Table 9 gives 
empirical relative frequencies /q = m, /M, the result of a count by Meyer- 
Matyas, based on 4 000 000 characters in a corpus of everyday English. Solo¬ 
mon Kullback pointed out in 1976 that the genre of communications gives rise 
to strong fluctuations, and diffentiates ‘literary English’ with a frequency for 
/e/ of 12.77% from ‘telegraphic English’ with a frequency for /e/ of 13.19% . 
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For the German language, the text basis SZ3-92 with a total of M = 681972 
characters gives results which are likewise tabulated in Table 9. 

The numerical values in Table 9 may serve as a hypothetical probability 
distribution of a stochastic source. 

character English German character English German 


a 

8.04% 

6.47% 

n 

7.09% 

9.84% 

b 

1.54% 

1.93% 

o 

7.60% 

2.98% 

c 

3.06% 

2.68% 

P 

2.00% 

0.96% 

d 

3.99% 

4.83% 

q 

0.11% 

0.02% 

e 

12.51% 

17.47% 

r 

6.12% 

7.54% 

f 

2.30% 

1.65% 

s 

6.54% 

6.83% 

g 

1.96% 

3.06% 

t 

9.25% 

6.13% 

h 

5.49% 

4.23% 

u 

2.71% 

4.17% 

i 

7.26% 

7.73% 

V 

0.99% 

0.94% 

j 

0.16% 

0.27% 

w 

1.92% 

1.48% 

k 

0.67% 

1.46% 

X 

0.19% 

0.04% 

1 

4.14% 

3.49% 

y 

1.73% 

0.08% 

m 

2.53% 

2.58% 

z 

0.09% 

1.14% 


Table 9. Hypothetical character probabilities of a stochastic source 
in English and in German 


For the German language, the frequency of /e/ is skewed by the crypto- 
graphic custom of decomposing /a/, /o/, /u/ into /ae/, /oe/, /ue/. 
George K. Zipf and Benoit Mandelbrot have published empirical formulas for 
the relative frequency of the fc-th letter which fit many languages astonish¬ 
ingly well, namely 

p(k) oc 1/A: and p(k) oc l/(k + c) m for suitable positive c,m . 

The actual values for the English language are shown graphically in Figure 
128. A convincing theoretical explanation has not been given. 


.♦. . . .». 


e 111 a o | i n|s r h 11 d|c u|mf|pgwy|b|v|k|xj q z ‘English’ 
Fig. 128. Relative frequencies of characters in the English language (Meyer-Matyas count) 
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15.6 Optimal Matching 

15.6.1 Squared distance. The frequency deviation between a given text 
T with M characters and an expected text T® of equal length from a stochas¬ 
tic source Q can be measured by the squared distance d(T,T®), 

d{T,T<>) = YZi{m i -M.p i ) 2 . 

Here pi denotes the probability for the appearance of the z-th character \i 
(i = 1... N) in the stochastic source Q, to* the frequency of \i i n tire text 
T, where EE m i ~ M . 

Let zj be a permutation on the cryptotext characters. The value of 

d a = d a (T,TQ) = EtrK - M-p a{i) f 
measures the concordance between the cryptotext T with the observed fre¬ 
quencies nij and a cryptotext expected under the permutation er from the 
stochastic source Q ; 

mhv d(j = min CT EE( to * ~ M ' Va(i )) 2 
characterizes a permutation achieving optimal concordance, which therefore 
is a candidate for the decryption. Because of fluctuations, permutations 
bringing d a close to the minimum are also candidates for correct decryption, 
but with increasing d a they become less and less interesting. 

15.6.2 Minimization. Obviously EE P^(i) = EE Pi and thus 

JV N N N 

min J2( m i - M • p a ^) 2 = ^m, 2 + M 2 ^ p 2 - 2 M max ^ to* ■ p„ (i) . 
2=1 2=1 2=1 2=1 

To find candidates for decryption, it therefore suffices to consider the follow¬ 
ing maximum: N 

max E m ■ p a (i) 

i= 1 

Theorem: Assume m, > m,+i for all i. 

EzI 1 m i • P<r(i) is maximal, if and only if > p a ^ i+1 ) for all i . 

Proof: Since every permutation can be expressed as a chain of swaps of two 
elements, it suffices to investigate the contribution of a swap of two elements 
Xj, Xk to the sum. Then 

m 3 ' P<r(j) + m k ■ Pa(k) > m,j ■ p a ( k ) + TO fc • p a( j) if and only if 

(■mj - TO fc ) • ( 2 V(j) - Pa(k)) > 0 , i-e., if and only if > p a ( k) . cx 

The result, that the optimal concordance is reached by matching in the fre¬ 
quency ordering, is supplemented by the strategy of finding other candidates 
for the decrypting permutation by swaps of pairs of characters Xji Xk such 
that each time 

(my - TOfc) • (p CT( y) - p c r( fc ) ) 

is minimal. 
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15.6.3 Example. We assume the probabilities pi of Table 9 and investigate 
the CAESAR encrypted text Boll of Sect. 15.3.1 (with the frequencies to, in 
Fig. 118, M = 349). Using a decryption cr 0 according to the frequency order 
of Table 9 (German), there results for EZi m * ' Pa(i) a maximal value, 

EZ i m i ■ PMi) = 2634.56% = M ■ 7.5489% . 

If D= i, W= r is swapped to D= r , W= i, which corresponds to the frequency 
order of Kaeding, then the value is slightly diminished by 

(36 —24)-(7.73% —7.54%) = 2.28% = M ■ 0.0065 to become 

EZi m i ’ P<n(i) = 2632.28% = M ■ 7.5424% . 


For the correct decryption cr*, we even obtain a value with a larger deviation 



^~\N 

: i ' Pa * (i) 

= 2585.95% = 

- M ■' 

7.4096%. 







Value of 


T,Zi m i 

; in this example: 



9347 



=. 

M 2 

• 7.6740%. 

Value of 

M 2 

zZi p? 

according to Table 9 : 


9275.7162 

= 

K'f 

! - 7.6155%. 

Value of 

M • 

■ Ei=i m -‘ 

i ' Pcr 0 (- 

o : 





9194.6144 = 

=. 

M 2 

• 7.5489% : 

Value of d ao (T, T Q ) = 

E 

N 
i=1 

(to— M ■ 

Ptr 0 (i)) 

2 . 

233.4874 = 

= M 2 

•0.1917%. 

Mimimizing d a (T, T®) does 

not give the correct decryption 

a. 

; ! 



.a 

.b 

.c 

.d 

•e .f .g 

.h 

.i 

•j -k .1 

.m 

.n 

.O 

•P 

•q - r 

.s 

.t 

.u 

.v . 

W 

.x .y .z 

a. 1 32 

39 

15 

10 18 


16 

10 77 

18 

172 

2 31 

1 101 

67 124 12 24 

7 

27 1 

b. 8 




58 


6 

2 21 

1 


11 


6 

5 


25 



19 

c. 44 


12 


55 1 

46 

15 

8 16 



59 

1 

7 

1 

38 

16 


1 


d. 45 

18 

4 

10 

39 12 2 

3 

57 

1 7 

9 

5 

37 

7 

1 10 

32 

39 

8 

4 

9 

6 

e. 65 

11 

64 

107 

39 23 20 

15 

40 

1 2 46 

43 

120 

46 32 

14 154 145 

80 

r i6 4i 

17 17 

f. 21 

2 

9 

1 

25 14 1 

6 

21 

1 10 

3 

2 

38 

3 

4 

8 

42 

11 

1 

4 

1 

g. 11 

2 

1 

1 

32 3 1 

16 

10 

4 

1 

3 

23 

1 

21 

7 

13 

8 


2 

1 

h. 84 

1 

2 

1 251 2 

5 

72 

3 

1 

2 

46 

1 

8 

3 

22 

2 


7 

1 

i. 18 

7 

55 

16 

37 27 10 



8 39 

32 

169 

63 

3 

21 : 

106 

88 


14 

1 

1 4 

j- 




2 






4 





4 




k. 




28 


8 



3 

3 



2 

1 



3 

3 

1. 34 

7 

8 

28 

72 5 1 


57 

1 3 55 

4 

1 

28 

2 

2 2 

12 

19 

8 

2 

5 

47 

m. 56 

9 

1 

2 

48 

1 

26 


5 

3 

28 

16 


6 

6 

13 


2 

3 

n. 54 

7 

31 

118 

64 8 75 

9 

37 

3 3 10 

7 

9 

65 

7 

5 

51 

110 

12 

4 : 

L5 

1 14 

o. 9 

18 

18 

16 

3 94 3 

3 

13 

5 17 

44 

145 

23 29 

113 

37 

53 96 

13 36 

4 2 

p. 21 

1 



40 

7 

8 

29 



28 26 42 3 

14 

7 


1 


2 

q- 















20 




r. 57 

4 

14 

16 

148 6 6 

3 

77 

1 11 12 

15 

12 

54 

8 

18 

39 

63 

6 

5 : 

L0 

17 

s. 75 

13 

21 

6 

84 13 6 

30 

42 

2 6 

14 

19 

71 24 

2 6 

41 

121 

30 

2 27 

4 

t. 56 

14 

6 

9 

94 5 1 315 128 

12 

14 

8 

111 

8 

30 

32 

53 22 

4 : 

L6 

21 

u. 18 

5 

17 

11 

11 1 12 

2 

5 

28 

9 

33 

2 

17 

49 

42 

45 




111 

v. 15 




53 


19 




6 









w. 32 


3 

4 

30 1 

48 

37 

4 

1 

10 

17 

2 

1 

3 

6 

1 

1 

2 


x. 3 


5 


1 


4 




1 

4 



1 

1 




y- n 

11 

10 

4 

12 3 5 

5 

18 

6 

4 

3 

28 

7 

5 

17 

21 

1 

3 : 

14 



z. 5 2 1 


Table 10. Bigram frequencies (in %%) in English (after O. Phelps Meaker) 


1 
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15.7 Frequency of Multigrams 

Even more than frequencies of individual characters, multigram frequencies 
imprint a language. Their importance is illustrated by 

Invariance Theorem For all monoalphabetic, functional simple 
substitutions, especially for all monoalphabetic linear simple substitu¬ 
tions (including CAESAR additions and reversals), 
partitions of n-grams within the text are invariant. 

15.7.1 Frequency tables. According to the theorem, the frequency of 
n-grams in a cryptotext can be used for decryption, too. However, for N = 26 
there are already 676 bigrams and 17 576 trigrams; only in rather long crypto¬ 
texts will enough bigrams and trigrams be found, and in short texts even 
bigrams are quite rare, therefore the influence of fluctuations is substantial. 
Cryptanalysis of monographic encryptions on the basis of bigrams alone in¬ 
stead of single characters does not bring great advantage. 

The frequencies of bigrams (as indicated by Tables 10, 11) and trigrams are 
even more unbalanced than those of single characters. The 19 most frequent 


.a 

.b 

.c 

.d 

.e 

.f 

•g 

.h 

.i 

•j 

.k .1 

.m 

.n 

.o 

•P 

.q .r 

.s 

.t .u 

.V 

.w .X 

•y 

.z 

a. 8 31 

27 

11 

64 

15 30 

20 

5 

1 

7 59 

28 

102 


4 

51 

53 

46 75 

2 

3 

l 

2 

b. 16 

1 


1 

101 


3 

1 

12 


1 9 


1 

8 


9 

6 

4 14 


1 

l 

1 

c. 2 



2 

1 



242 

1 


14 1 



2 



1 






d. 54 

3 

1 

13 227 

3 

4 

2 

93 

1 

3 5 

4 

6 

9 

3 

10 

11 

6 16 

3 

4 


3 

e. 26 45 25 

51 

23 26 50 

57 193 

3 

19 63 

55 400 

6 

13 

1 409 

140 

55 36 

14 23 2 

l 

11 

f. 19 

2 


9 

25 

12 

3 

1 

7 


1 5 

1 

2 

9 

1 

18 

4 

20 24 

1 

1 


1 

g. 20 

3 


12 

147 

2 

3 

3 

19 

1 

3 9 

3 

5 

6 

1 

14 

18 

18 11 

4 

3 


3 

h. 70 

4 

1 

14 

102 

2 

4 

3 

23 

1 

3 25 

11 

19 

18 

1 

37 

11 

47 11 

4 

9 


3 

i. 7 

7 76 

20 

163 

5 38 

12 

1 

1 

12 25 

27 168 20 

2 

17 

79 

78 3 

5 

1 


5 

j- 9 




9 









2 




5 





k. 26 

1 


2 

26 

1 

1 

1 

7 


1 10 

1 

1 

24 

1 

13 

5 

14 9 

1 

1 


1 

I. 45 

7 

2 

14 

65 

5 

6 

2 

61 

1 

7 42 

3 

4 

14 

2 

2 

22 

27 13 

3 

2 


3 

m. 40 

6 

1 

8 

50 

4 

4 

3 

44 

2 

3 4 

23 

3 

15 

7 

2 

10 

8 14 

4 

3 


2 

n. 68 23 

5 

187 122 

19 94 

17 

65 

5 25 10 

23 

43 

18 

10 

10 

74 

59 33 

18 29 


25 

o. 3 

8 

15 

7 

25 

6 

5 

9 

1 

1 

3 31 

17 

64 

1 

6 

50 

19 

9 3 

3 

7 

l 

6 

p. 16 



3 

10 

6 


2 

4 


4 



11 

5 

23 

1 

3 4 





q- 

















2 





r. 80 25 

9 

67 112 

18 27 

19 

52 

4 23 18 

20 

31 30 

9 

15 

54 

49 48 

12 

17 


14 

s. 36 

10 89 

20 

99 

7 

13 

9 

65 

2 

11 9 

12 

7 28 22 

8 

76 

116 15 

9 

10 

2 

7 

t. 57 

8 

1 

35 

185 

5 

10 

14 

59 

2 

4 11 

9 

9 

15 

3 

31 

50 

23 26 

8 21 

1 

26 

u. 3 

8 

16 

5 

78 27 

8 

4 

2 


3 7 

21 

119 


5 

33 

48 

23 1 

3 

2 


1 

v. 3 




37 




9 





43 









w. 34 




48 




36 

1 



1 

17 



1 

9 





X. 








1 





1 




1 





y- 




1 






1 

1 





1 






z. 4 

1 


1 

28 


1 


11 


1 2 

1 


2 



1 

7 43 

1 

9 


1 


Table 11. Bigram frequencies (in %%) in German (text basis SZ3-92) 
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bigrams in English and the 18 most frequent bigrams in German (they com¬ 
prise 92.93% of all bigrams) are presented in Tables 12 and 13; the 98 most 
frequent trigrams in English and the 112 most frequent trigrams in German 
(they comprise only 52.11% of all trigrams) are presented in Tables 14 and 15 . 
Comparing values published in the literature, it is important to know whether 
the word spacings are taken into consideration; sometimes (for example, in 
Fletcher Pratt 1939) only bigrams and trigrams within words are counted. 
The counts show even more fluctuations than those of individual characters, 
as can be seen from Tables 12 and 13. Frequency tables for several other 
Indo-Germanic languages have been published by Gaines and Eyraud. 
Tables 10 and 11 show at a glance that the matrix of bigram frequencies is 
not symmetric. Common bigrams with rare reverses (German Dreher) are 
/th/, /he/, /ea/, /nd/, /nt/, /ha/, /ou/, /ng/, /hi/, /eo/, /ft/, /sc/, /rs/ ; 

they are useful for the dissolution of cliques. On the other hand, the following 
pairs of bigrams show roughly the same frequency: 

/er/ - /re/, /es/ - /se/, /an/ - /na/, /ti/ - /it/, /on/ - /no/, /in/ - /ni/, 
/en/ - /ne/, /at/ - /ta/, /te/ - /et/, /or/ - /ro/, /to/ - /ot/, /ar/ - /ra/, 
/st/ - /ts/, /is/ - /si/, /ed/ - /de/, /of/ - /fo/ . 


15.7.2 Word frequencies. Quite interesting are the frequencies of words, 
i.e., of multigrams with a space at the beginning and the end. The order of 
the most frequent words is 

in English: the of and to a in that it is I for as with was his 
he be not by but have you which are on or her , 

in German: die der unci den am in zu ist dafi es , 


in French: de il le et que je la ne on les en ce se son 
mon pas lui me au une des sa qui est du , 

in Italian: la di che il non si le una lo in per un mi 
io piu del ma se , 

in Spanish: de la el que en no con un se su las los es 
me al lo si mi una di por sus muy hay mas 


The only one-letter-words in English are a and I ; two-letter-words include 
an at as he be me re we if in is it of on or ox do go no so to up my . 

The most frequent words by far in the Indo-Germanic languages are the 
non-content words 1 (French mots vides, German Formworter, inhaltsleere 
Worter), namely articles, prepositions, conjunctions, and other auxiliary par¬ 
ticles, in contrast to conceptual words (German Begriffsworter) like substan¬ 
tives, adjectives, and verbs. The 70 most frequent words of the English 
language are non-content words, and among the 100 most frequent ones are 
only ten conceptual words. Historical nomenclators paid attention to them. 


1 In English, non-content words are the only ones not capitalized in headlines. 
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Table 10 

Kullback 

Sinkov 

Eyraud 

th 

315 

156 

270 

330 

he 

251 

40 

257 

270 

an 

172 

128 

152 

167 

in 

169 

150 

194 

202 

er 

154 

174 

179 

191 

re 

148 

196 

160 

169 

on 

145 

154 

154 

134 

es 

145 

108 

115 

149 

ti 

128 

90 

108 

126 

at 

124 

94 

127 

127 

st 

121 

126 

103 

116 

en 

120 

222 

129 

146 

or 

113 

128 

108 

91 

nd 

118 

104 

95 

122 

to 

111 

100 

95 

79 

nt 

no 

164 

93 

124 

ed 

107 

120 

111 

125 

is 

106 

70 

93 

79 

ar 

101 

88 

96 

83 


Table 12. The nineteen most frequent bigrams in English (frequencies in %%) 



Table 11 

Bauer-Goos 

Valerio 

Eyraud 

er 

409 

340 

337 

375 

en 

400 

447 

480 

443 

ch 

242 

280 

266 

280 

de 

227 

214 

231 

233 

ei 

193 

226 

187 

242 

nd 

187 

258 

258 

208 

te 

185 

178 

222 

178 

in 

168 

204 


197 

ie 

163 

176 

222 

188 

ge 

147 

168 

160 

196 

es 

140 

181 


168 

ne 

122 

117 


143 

un 

119 

173 

169 

139 

st 

116 

124 


118 

re 

112 

107 

213 

124 

he 

102 

117 


124 

an 

102 

92 


82 

be 

101 

96 


104 


307 


Table 13. The eighteen most frequent bigrams in German (frequencies in %%) 
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the 

353 

hat 

55 

man 

40 

ant 

32 

rom 

28 

str 

25 

nte 

23 

ing 

111 

ers 

54 

red 

40 

hou 

31 

ven 

28 

tic 

25 

rat 

23 

and 

102 

his 

52 

thi 

40 

men 

30 

ard 

28 

ame 

24 

tur 

23 

ion 

75 

res 

50 

ive 

38 

was 

30 

ear 

28 

com 

24 

ica 

23 

tio 

75 

ill 

47 

rea 

38 

oun 

30 

din 

27 

our 

24 

ich 

23 

ent 

73 

are 

47 

wit 

37 

pro 

30 

sti 

27 

wer 

24 

nde 

23 

ere 

69 

con 

46 

ons 

37 

sta 

30 

not 

27 

ome 

24 

pre 

23 

her 

68 

nee 

45 

ess 

36 

ine 

29 

ort 

27 

een 

24 

enc 

22 

ate 

66 

all 

44 

ave 

34 

whi 

28 

tho 

26 

lar 

24 

has 

22 

ver 

64 

eve 

44 

per 

34 

ove 

28 

day 

26 

les 

24 

whe 

22 

ter 

63 

ith 

44 

ect 

33 

tin 

28 

ore 

26 

san 

24 

wil 

22 

tha 

62 

ted 

44 

one 

33 

ast 

28 

but 

26 

ste 

24 

era 

22 

ati 

59 

ain 

43 

und 

33 

der 

28 

out 

25 

any 

23 

lin 

22 

for 

59 

est 

42 

int 

32 

ous 

28 

ure 

25 

art 

23 

tra 

22 

Table 

14. The 98 

most frequent trigrams 

in English (frequencies in %%) 


ein 

122 

das 

47 

erd 

33 

ese 

27 

eni 

23 

ner 

20 

hei 

18 

ich 

111 

hen 

47 

enu 

33 

auf 

26 

ige 

23 

nds 

20 

lei 

18 

nde 

89 

ind 

46 

nen 

32 

ben 

26 

aen 

22 

nst 

20 

nei 

18 

die 

87 

enw 

45 

rau 

32 

ber 

26 

era 

22 

run 

20 

nau 

18 

und 

87 

ens 

44 

ist 

31 

eit 

26 

ern 

22 

sic 

20 

sge 

18 

der 

86 

ies 

44 

nic 

31 

ent 

26 

rde 

22 

enn 

19 

tte 

18 

che 

75 

ste 

44 

sen 

31 

est 

26 

ren 

22 

ins 

19 

wei 

18 

end 

75 

ten 

44 

ene 

30 

sei 

26 

tun 

22 

mer 

19 

abe 

17 

gen 

71 

ere 

43 

nda 

30 

and 

25 

ing 

21 

rei 

19 

chd 

17 

sch 

66 

lie 

42 

ter 

30 

ess 

25 

sta 

21 

eig 

18 

des 

17 

cht 

61 

ach 

41 

ass 

29 

ann 

24 

sie 

21 

eng 

18 

nte 

17 

den 

57 

ndi 

41 

ena 

29 

esi 

24 

uer 

21 

erg 

18 

rge 

17 

ine 

53 

sse 

39 

ver 

29 

ges 

24 

ege 

20 

ert 

18 

tes 

17 

nge 

52 

aus 

36 

wir 

29 

nsc 

24 

eck 

20 

erz 

18 

uns 

17 

nun 

48 

ers 

36 

wie 

28 

nwi 

24 

eru 

20 

fra 

18 

vor 

17 

ung 

48 

ebe 

35 

ede 

27 

tei 

24 

mme 

20 

hre 

18 

dem 

17 


Table 15. The 112 most frequent trigrams in German (frequencies in %%) 


15.7.3 Positions. The frequencies of a letter depend very often on 
position within a word. For example, the letter /e/ in German stands 


in first position 

7.7% 

in second position 

21.7% 

in third position 

16.5% 

in third from last position 

8.8% 

in second from last position 

7.7% 

in last position 

15.0% 
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15.7.4 Average word length. Although in cryptography word spacing 
is suppressed professionally, the average word length is an important charac¬ 
teristic of a language (Table 16). In the German language, word lengths are 
distributed as follows: 


1 

0.05% 

5 

11.55% 

9 

3.67% 

13 

1.40% 

17 

0.38% 

2 

8.20% 

6 

11.66% 

10 

2.64% 

14 

0.59% 

18 

0.16% 

3 

28.71% 

7 

6.04% 

11 

3.24% 

15 

0.65% 

19 

0.10% 

4 

13.49% 

8 

4.43% 

12 

2.06% 

16 

0.32% 




15.7.5 Word formation. Vowels and consonants usually alternate. Vow¬ 
els provide the singable sound pattern of any language. In French they can 
occur quite accumulated: oui'e, aieul\ even in sequences: j'ai oui dire ; less 
evident in English: aeon, pious, quoit. Consonants in Arabic languages form 
the backbone of writing, and occur accumulated in Slavic languages as well: 
czyszczenie (Polish), cvrcak (Serbo-Croatian), nebezpecenstvi (Czech). 

Welsh shows strange patterns: in rhy ddrwg (“too bad”), y and w denote vow¬ 
els, Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch is the name 
of a railroad station in Wales. In English, words with a 4-consonant sequence 
like sixths are very rare, in German Schlacht, schlecht, schlicht, Schlucht are 
8-letter words with one vowel only, and words like Erstschlag , herrschst with a 
7-consonant sequence can be obtained by composition and grammatical con¬ 
struction. Vowel distances show typical frequences, too: in German (without 
spaces) 


1 20.77% 

2 25,06% 

3 35.95% 

4 14.75% 


5 2.63% 

6 1.03% 

7 0.15% 

8 0.03% 


Table 16 gives a comparison of the average word length, the vowel frequency, 
the frequency of the five dominant consonants {lnrst}, and the infrequent 
letters for five important languages with a Latin alphabet and for Russian. 

average vowel {lnrst} rare 

word length frequency frequency letters 


English 

4.5 

40% 

33% 

j q 

X 

French 

4.4 

45% 

34% 

k 

w 

German 

5.9 

39% 

34% 

j q 

x y 

Italian 

4.5 

48% 

30% 

j k 

w x y 

Spanish 

4.4 

47% 

31% 

k 

w 

Russian 

6.3 

45% 





Table 16. Characteristics of word formation 


15.7.6 Spacing. For informal ciphers that preserve word spacing and 
possibly also punctuation, bigram tables contain also frequencies for letters 
at the beginning and the end of a word, and trigram tables contain frequencies 
for bigrams at the beginning and the end of a word and for one-letter words. 
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If word spacings (and possibly also punctuation marks) are not suppressed, 
they should be included in the encryption. Thus, the space may become the 
most frequent character. In German, spaces are about as frequent as /e/, 
while in English spaces are markedly more frequent than /e/. 

If, as in ‘aristocrats’, spaces are preserved, they are encrypted by themselves 
and thus one character is decrypted from the outset. This simplifies an entry 
considerably. Experienced amateur cryptologists may sometimes read such 
informal ciphers at first glance. “Not infrequently, the cryptogram which 
retains its word-divisions can be read at sight ... and this regardless of how 
short it may be” (Helen Fouche Gaines, 1939). 

In professional cryptology, there are good reasons for using formal ciphers and 
discussing them, as we have done. If for technical reasons, as in teletype com¬ 
munication and with an ASCII code, special control symbols are available, 
they should be used with discretion and not be mixed with the cryptographic 
process—a well-trained and responsible crypto clerk will know this. 

15.8 The Combined Method of Frequency Matching 

In an attempt to mechanize the decryption of monoalphabetic simple substi¬ 
tutions, particularly in the case of short texts, it may be wise to combine the 
information on frequencies of individual characters, bigrams, and possibly 
trigrams, in the sense that bigram frequencies are taken into account as soon 
as a clique of characters cannot be separated by monogram frequencies, and 
trigram frequencies as soon as even bigram frequencies do not separate the 
clique. More than trigrams are unlikely to be useful. In case no probable 
words are utilized, this is also a cryptotext-only attack, using nothing more 
than an assumption as to the underlying natural language. 


15.8.: 

1 

Example. 

For 

the cryptotext 

of 280 

1 characters (Kahn 

1967) 


G 

J 
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X 

N 

G 

G 

O 

T 

Z 

N 

U 

C 

O 

T 

WMO 

H 

Y 

J 

T 

K 

T 

A 

M 

T 
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B 

Y 

N 

F 

G 

O 

G 

I 

N 

U 

G 

J 

F 

N 

Z 

V 

Q 

H 

Y 

N 

G 

N 
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A 

J 

F 

H 

Y 

o 

T 

W 

G 

O 

T 

H 

Y 

N 

A 

F 

Z 

N 

F 

T 

U 

I 

N 

z 

A 

N 

F 

G 

N 

L 

N 

F 

U 

T 

X 

N 

X 

u 

F 

N 

E 

J 

C 

I 

N 

H 

Y 

A 

Z 

G 

A 

E 

U 

T 

U 

C 

Q 

G 

O 

G 

O 

T 

H 

J 

O 

H 

O 

A 

T 

C 

J 

X 

K 

H 

Y 

N 

U 

V 

O 

C 

O 

H 

Q 

U 

H 

C 

N 

U 

G 

H 

H 

A 

F 

N 

u 

Z 

H 

Y 

N 

C 

U 

T 

W 
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U 

WN 
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E 

H 

Y 

N 

A 

F 

O 

WO 

T 

U 

C 

H 

N 

P 
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o 
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L 

N 

F 

Q 

z 

N 

G 

O 

F 

U 

V 

C 

N 

Z 

J 

H 

T 

A 

H 

N 

G 

G 

N 

T 

H 

O 

U 

C 

G 

J 

X 

Y 

O 

G 

H 

T 

N 

A 

B 

N 

T 

O 

T 

WG 

N 

T 

H 

N 

T 

X 

N 

A 

E 

B 

u 

F 

K 

N 

F 

Y 

O 

H 

H 

G 

I 

U 

T 

J 

U 

C 

E 

A 

F 

H 

Y 

N 

G 

A 

C 

J 

H 

O 

A 

T 

A 

E 

I 

O 

C 

O 

H 

U 

F 

Q 

X 

o 

B 

Y 

N 

F 

G 






















a frequency count of the letters results in 


17 4 13 0 7 17 23 26 5 12 3 2 2 36 25 1 5 0 0 23 20 3 6 9 13 8 

ABCDEFGHI JKLMNOPQRSTUVWXYZ 

There is no indication of a shifted frequency profile and a CAESAR addition 
can be excluded by a short exhaustive test. The frequency order is: 
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36 26 25 23 23 20 17 17 13 13 12 9 8 7 6 5 5 4 3 3 2 2 1 0 0 0 

NHOGTUAFCYJ XZEWI QBKVLMPDRS 

Assume that in the circumstances the plaintext is English. A confrontation 
with the frequency order of the English language, as given by Kahn in 1967, 

etaoni rshcll ucmpfywgbvj kqxz 

suggests in view of the marked decrease from 17 (for A and F) to 13 (for C 
and Y) the cliques {e} {t} {aonirs} . Thus 

N = e , H = t and {OGTUAF} = {aonirs} . 

Bigram frequencies can be used to separate this clique. Table 17 shows the 
relevant segment of a bigram table for the English language (10 000 charac¬ 
ters), Table 18 the bigram count for the present text. 



.e 

.t 

.a 

.o 

.n 

.i 

.r 

.s 

.h 

.1 

,d 

.11 

.c 

e. 

39 

80 

131 

46 

120 

40 

154 145 

15 

46 

107 

7 

64 

t. 

94 

53 

56 

111 

8 

128 

30 

32 

315 

12 

9 

22 

6 

a. 

- 

124 

1 

2 

172 

16 

101 

67 

- 

77 

15 

12 

39 

o. 

3 

53 

9 

23 

145 

13 

113 

37 

3 

17 

16 

96 

18 

n. 

64 

110 

54 

65 

9 

37 

5 

51 

9 

10 

118 

12 

31 

i. 

37 

88 

18 

63 

169 

- 

21 

106 

- 

39 

16 

- 

55 

r. 

148 

63 

57 

54 

12 

77 

18 

39 

3 

12 

16 

6 

14 

s. 

84 

121 

75 

71 

19 

42 

18 

41 

30 

6 

6 

30 

21 

h. 

251 

22 

84 

46 

2 

72 

8 

3 

5 

3 

1 

2 

2 

1. 

72 

19 

34 

28 

1 

57 

2 

12 

- 

55 

28 

8 

8 

d. 

39 

39 

45 

37 

5 

57 

10 

32 

3 

7 

10 

8 

4 

u. 

11 

45 

18 

2 

33 

5 

49 

42 

2 

28 

11 

- 

17 

c. 

55 

38 

44 

59 

- 

15 

7 

1 

46 

16 

- 

16 

12 


Table 17. Bigram frequency table for the thirteen most frequent letters in English 



.N 

.H 

.O 

.G 

.T 

.U 

.A 

.F 

.C 

.Y 

.J 

.X 

.z 

N. 

- 

1 

- 

5 

4 

5 

5 

7 

1 

- 

- 

1 

3 

H. 

3 

2 

4 

1 

2 

1 

1 

- 

1 

9 

1 

- 

- 

O. 

- 

4 

- 

4 

7 

1 

2 

1 

2 

- 

- 

- 

- 

G. 

4 

2 

6 

2 

- 

- 

2 

- 

- 

- 

3 

- 

- 

T. 

1 

4 

1 

- 

- 

3 

3 

- 

1 

- 

1 

3 

1 

U. 

- 

1 

- 

2 

4 

- 

- 

3 

5 

- 

- 

- 

1 

A. 

1 

1 

- 

- 

2 

- 

- 

4 

1 

- 

1 

- 

1 

F. 

3 

2 

1 

2 

1 

2 

- 

- 

- 

1 

- 

- 

1 

C. 

2 

1 

4 

1 

- 

1 

- 

- 

- 

- 

2 

- 

- 

Y. 

7 

- 

3 

- 

- 

- 

1 

- 

- 

- 

1 

- 

- 

J. 

- 

2 

2 

- 

1 

2 

- 

2 

1 

- 

- 

3 

- 

X. 

3 

- 

2 

- 

- 

1 

- 

- 

- 

1 

- 

1 

- 

Z. 

3 

1 

- 

1 

- 

- 

1 

- 

- 

- 

1 

- 

- 


Table 18. Bigram count in appropriate order for cryptotext of Sect. 15.8.1 
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In Table 17 it can be seen that /a/, j\j and /o/ avoid contact among them¬ 
selves (they have no ‘affinity’), except for the bigram /io/ . /oi/ is rare. In 
Table 18, O, U and A also avoid contact; OA occurs twice while AO does not 
occur. This indicates that 

O = i , A = o and therefore also U = a . 

It fits well that OU becomes /ia/ , which occurs a few times. Moreover, NU, 
which would represent /ea/, is frequent, while UN, which is missing, would 
represent the rare /ae/. Thus, the large clique is broken, and there remains 
only the fragment {GTF}={nrs} , which could even be exhausted. 

The argument about contact was based on vowel contact. This is a peculiarity 
of the English language. The term ‘vowel-solution method’ to be found in 
the English literature (Helen Fouche Gaines, 1939) is accidental and does not 
describe a general method. In other languages, vowels have no tendency at 
all to avoid contact. 

In English (and elsewhere) the consonant /n/ also has contact preferences: 
/n/ is regularly preceded by a vowel. This makes T rather than G, F and 
something from the next clique {C, Y} a candidate. It can be assumed that 
T = n and {GF}={rs} . 

Another handle gives /h/: /th/ is very frequent and /he/ and /ha/ are 
frequent. The remaining G, F and C show no suitable contacts; this suggests 
that Y = h . 

Indeed, HY (for /th/) is very frequent, YN (for /he/) and YO (for /ha/) are 
frequent. 

So far, seven of the ten most frequent characters are tentatively determined 
(and one test on {GF}={rs} would decide about two more): 

NHUATO**Y***************** 

etaoni rshcll ucmpfywgbvj kqxz. 


15.8.2 Continuation of the example. After this entry, which was a 
walk, the solution should move to a trot. Indeed, the partial decryption 
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:i 

t 

h 

J 

n 

K 

n 

0 

M 

;n 

X 

i 

B 

h e 

F 

G 

i 

G 

I 

e 

a 

G 

J 

F 

e 

z 

V 

Q 

t 

h 

e 

G 

e 

E 

o 

J 

F 

t 

h 

i 

n 

W 

Gi 

n 

t 

h 

e 

0 

F 

z 

e 

F 

n 

a 

I 

e 

z 

o 

e 

F 

G 

e 

L 

e 

F 

a 

n 

X 

e 

X 

a 

F e 

E 

J 

C 

I 

e 

t 

h 

0 

z 

G 

o 

E 

a 

n 

a 

C 

Q 

G 

i 

G 

i 

n 

t 

J 

i 

t 

i 

o 

n C 

J 

X 

K 

t 

h 

e 

a 

V 

i 

C 

i 

t 

Q 

a 

t 

C 

e 

a 

G 

t 

t 

o 

F 

e 

a 

z 

t 

h 

e C 

a 

n 

W 

J 

a 

We 

0 

E 

t 

h 

e 

o 

F 

i 

Wi 

n 

a 

C 

t 

e 

P 

t 

i 

G 

L 

e 

F Q 

z 

e 

G 

i 

F 

a 

V 

c 

e 

Z 

J 

t 

n 

o 

t 

e 

G 

G 

e 

n 

t 

i 

a 

c 

G 

J 

X 

h 

i G 

t 

n 

e 

o 

B 

e 

n 

i 

n 

WG 

e 

n 

t 

e 

n 

X 

e 

o 

E 

B 

a 

F 

K 

e 

F 

h 

i 

t t 

G 

I 

a 

n 

J 

a 

C 

E 

o 

F 

t 

h 

e 

G 

o 

C 

J 

t 

i 

0 

n 

o 

E 

I 

i 

C 

i 

t 

a F 

Q 

X 

i 

B 

h 

e 

F 

G 






















suggests a series of improvements: in the first line Mith means with , 
whence M = w , and JnKnown means unknown , whence J = u , K = k . 
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thinW in the second line means thing , whence W = g ; in the fourth line 
IethoZ means method , whence I = m , Z = d ; the word intuition fits. 
And there are more fragments that can help to find the remaining letters 
from the clique {hdlcwum}, namely /l/ and /c/ . 

However, the choice between (G, F)=(r, s) and (G, f)=(s, r) should be made 
good first. The occurrence of FG in the second line and the fact, that the 
bigram /sr/ is very rare, gives 

G = s , F = r 

a very good chance. We now have the partial decryption 
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Now in the first line suXXess means‘success’, whence X = c,and deaCing 
means ‘dealing’, whence C = 1 . 

Altogether, we now know all but a few rare letters: 

NHUATOFGYZCJ XI ***MW***K*** 
etaoni rshcll ucmpfywgbvj kqxz. 


The resulting text can be read fluently: 
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and our procedure gallops along to bring almost by itself B = p , E = f , 
Q = y , V = b . In the third line /rname doers eLera nceca/ causes a 
stumble, but then in the sixth-seventh line we read /rigin altex tisve rydes/ , 
i.e., L = v , P = x . All actually occurring letters are determined and only 
/j/> /q/i and /z/ remain open. 
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During this gallop, we find three encryption errors: 

in the third line, the fourth group should read ZBNFG ; 
in the seventh line, the third group should read NYJHT ; and 
in the eighth line, the first group should read OGHYN . 

15.8.3 Final result. If this is not enough to convince a doubtful reader, 
then we can also reconstruct the password for the substitution: apart from 
the three missing letters, alphabetic ordering of the plaintext letters gives 

abcdefghi j k 1 mnopqrstuvwxyz 
UVXZNEWYO* KCI TAB* FGHJ LMPQ* . 

The password NEWYORKCITY cannot be overlooked; it also yields for the 
non-occuring cryptotext characters R = j , D = q , S = z . 

The message in readable form, freed from the three encryption errors (whose 
positions are marked by underlining), is worth consideration: 

“Success in dealing with unknown ciphers is measured by these four 
things in the order named: perseverance, careful methods of analysis, 
intuition, luck. The ability at least to read the language of the original 
text is very desirable, but not essential.” Such is the opening sentence 
of Parker Hitt’s Manual for the Solution of Military Ciphers. 

Colonel Parker Hitt (1877 1971) published in 1916 one of the first serious 
books in the USA on cryptology and dealt in this book for the first time with 
the systematic decryption of a PLAYFAIR encryption (Sect. 4.2.1). Hitt later 
became vice-president of AT&T and president of its cryptological offspring 
International Communication Laboratories. Hitt’s sentence states that se¬ 
mantic support is not decisive for the success of unauthorized decryption 
and has been understood as encouraging mechanized solution of the labori¬ 
ous part (pure cryptanalysis). 

Note that this decryption was carried out solely with frequency considera¬ 
tions, i.e., on the basis of Theorem 3 and Theorem 3^. Other aids like 
pattern finding and probable words were not given a place. More on mixed 
methods in Sect. 15.9 . 

15.8.4 Matching a posteriori. The correct decryption shows a matching 
of the observed bigram frequencies and the expected frequencies based on 
the bigram probabilities. This is detailed in Table 19 for the thirteen most 
frequent letters after appropriate permutations. It can be interpreted as a way 
to break up the monogram cliques and leads to a combinatorial problem. A 
simple mechanical procedure for efficient execution of this optimal matching 
process is not known. 

15.8.5 A different approach. Instead of looking for the plaintext be¬ 
longing to a cryptotext, it is sometimes easier to reconstruct the encryption 
alphabet directly, provided it has been generated by a password along the 
method of Sect. 3.2.5. This reconstruction could have been started in the 
example above as soon as the first nine letters (including G, F) were found: 
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0.2 

a 

- 

3.5 

- 
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0.3 
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Table 19. Expected bigram frequencies and 

observed ones after suitable character concordance 


U***N**YO****TA**FGH****** 
abcclef g h i j k 1 mnopqr s t uvwxyz 

There is a gap of two letters between A and F and two letters from 
{B, C, D, E} could be squeezed in, while two others would build up the 
password. This leads to six cases to be treated exhaustively, the attempt 
that henceforth succeeds being 

U * * * N E * Y O * * C * TABDFGH* * * * * * 

abcdef ghi j k 1 mnopqr s t uvwxyz 

This is a highly speculative method, which nevertheless is intellectually chal¬ 
lenging. The reconstructed password is NEWYORKCITY. 
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15.9 Frequency Matching for Polygraphic Substitutions 

Polygraphic substitutions can be treated like simple substitutions if the 
TO-grams are understood as individual characters. Nevertheless, this results 
in a large alphabet of N m characters. But from the 676 bigrams of standard 
English normally only some hundred show up (Table 10), from the 17 576 
trigrams not many more, m-grams have a markedly biased frequency distri¬ 
bution, facilitating an unauthorized entry. 

15.9.1 A reducible case. Special bigram substitutions have peculiar 
methods to solve them. A trivial case is encryption with the standard matrix 
and permutations for column and row entries: 

a m e r i c ... 
e AA AB AC AD AE AF ... 

q BA BB BC BD BE BF ... 

u CA CB CC CD CE CF ... 

a DA DB DC DD DE DF ... 

1 EA EB EC ED EE EF ... 

i FA FB FC FD FE FF ... 


It can be reduced (Sect. 4.1.2) to a monographic 2-alphabetic encryption with 
period 2, which is treated in Chapter 17. 


15.9.2 Using a hidden symmetry. PLAYFAIR encryption (Sect. 4.2.1), 
once favored even by the British and German armies and also by amateurs, 
is not only of limited complexity, but has also a hidden torus symmetry. This 
has the following consequence: if a plaintext bigram contains the letter X , 
then the two letters of its encryption are selected among only eight letters, 
namely those in the row or in the column of X: 


PALME 

R S T O N 
B C D F G 
H I K Q U 
V WX Y Z 


L M E P A 

T O N R S 

D F G B C 

K Q U H I 

X Y Z V W 


U H I K Q 

Z V W X Y 

E P A L M 

N R S T O 

G B C D F 


Furthermore, the encryption of a reversed bigram is frequently the reversed 
encrypted bigram—in fact in all cases where a ‘crossing step’ was applied. 
While the bigram frequencies are preserved under PLAYFAIR encryption, 
the individual character frequencies are not: there is a tendency for a larger 
clique of more frequent and a larger clique of less frequent characters to 
develop. 

Intuitive attacks against PLAYFAIR are based on the bigram frequencies in 
connection with the peculiarities just mentioned. In practice, probable words 
are also used. Systematic treatments were first begun in 1916 by Colonel 
Parker Hitt, in 1918 by Andre Langie and in 1922 by W. W. Smith. In the 
Second World War, wherever PLAYFAIR was used it was routine solved; for 
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example, the modified PLAYFAIR (Sect. 4.2.2) used as a field cipher by the 
German Afrika-Korps, fared no better. 

The unauthorized decryptor of a polygraphic encryption normally has good 
reasons to assume that he knows the position of the multigram hiatus. That 
can be an error: If a message encrypted in PLAYFAIR is decorated with an 
odd number of initial nulls, the message is out of phase. It is not so much 
more difficult to try the two cases, but first one has to have the right idea. 

15.10 Freestyle Methods 

A clear separation of the methods, as made in this book, serves mainly the 
understanding and is indispensible if computer support is to be programmed. 
But an interplay of these methods, be it by a human or by a machine, can 
increase the efficiency of the attack. Inevitably, experienced cryptanalysts 
working ‘manually’ will combine available methods. The literature includes 
some pertinent reports by people like Bazeries, Hitt, Friedman—including 
amateurs like Babbage who were gifted with imagination. 

15.10.1 A famous cryptogram. A particularly nice example has en¬ 
tered the world literature. In 1843, Edgar Allan Poe (1809-1849) wrote a 
short mystery story, “The Gold-Bug”, containing an encrypted message and 
its solution. The alphabet is a funny hodgepodge made from figures and 
other symbols available to the printer—Poe was an homme de lettres. The 
cryptotext of 203 letters was like this: 2 

53||f305) ) 6*| 4826) 4 J . ) 4 { ) ; 806*; 4 8 f 8 If 
6 0 ) ) 8 5; 1| ( ; : t*8f83(88) 5*f; 4 6( ; 88*96* 
?;8)*t(;485);5*t2:*t(;4956*2(5*-4)81 
8*; 4069285) ; ) 6 f 8) 4 { f ; 1 ( {9; 48081; 8: 8 { 

1; 4 8 f 8 5 ; 4)485)528806*81(^9; 48; (88; 4( 

J ? 3 4; 4 8) 4| ; 161; : 188; { ? ; 

Poe allows Legrand, the hero of the story, to begin with the remark that the 
cryptosystem (he calls it ‘cryptograph’) was adequate to the mental power 
of Captain Kidd, the bad guy of the story, thus impenetrable for a simple 
sailor, although it was ‘a simple species’. Legrand, who boasts about having 
solved secret messages a thousand times more complicated, concludes that 
according to the geographic circumstances French or Spanish would come 
into consideration, but that fortunately the signature ‘Kidd’ clearly points 
to English. He also notes the lack of word-division spaces and complains 
that this makes the task more difficult. He therefore starts with a table of 
individual character frequencies: 

33 26 19 16 16 13 12 11 10 8 8 6 5 5 4 4 3 2 1 1 

8; 4 | ) *56(fl092: 3 ? 1 - . 

2 The numerous reprints and translations are abundant in typographic errors within these 
six lines. It can be seen how difficult the work of a printer is, if he lacks the feedback 
control of semantics. 
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His first assumption is 8 = e, which is backed by the frequent occurrence of 
a double /e/ in English—an argument on bigrams. Then he looks for the 
most frequent trigram /the/ , a pattern 123 with 8 at the end. He finds 
seven occurrences of ; 4 8 , and therefore assumes ; = t, 4 = h . 

“Thus, a great step has been taken.” The entry is achieved. The fifth and the 
sixth line, partly decrypted, read: 

Ithefe5th)he5f52ee06*el(|9thet(eeth( 
|?3hthe)h|tl61t: 1 e e t | ? t 

t h e t ( e e in the fifth line reminds Legrand immediately of ( = r . This 
gives him thetreethr|?3hthe and suggests /thetreethroughthe/. 
Therefore J = o, ? = u, 3 = g. Next, in the second line he finds f83(88, i.e., 
f e g r e e suggesting /degree/ and f = d; and four characters later ; 4 6 (; 8 8 *, 
i.e., t h 6 r t e e * , to be read /thirteen/, whence 6 = i and * = n. 

Now almost all of the frequent characters (except a and s) are determined. 
The partly decrypted text is: 

5goodg05) ) i n t h e 2 i ) ho. ) ho) teOi nthecle^f 
i 0) ) e 5 t lort : one degree) 5 n d t hi r t e e n 9i n 
ut e ) nor t he 5 ) t 5 nd2 : nor t h9 5 i n2 r 5 n-h) e f 
enthOi 92e 5) t ) i cle) hoot lro9t heOelte: eo 
Ithede5th)he5d52ee0inelro9thetreethr 
ought he) hot 1i It: leetout 

Instantly Legrand finds from g 0 5 ) ) and h o ) t 0 ) = s , 0 = 1, 5 = a, 

as well as furthermore 2 = b, . = p, l = v, 1 = f, :=y, 9 = m, -=c. 
The (monoalphabetic) encryption step is the mapping involving 20 letters 

8; 4 | ) *56(fl092: 3 ? 1 - . 
e t h o s n a i r cl f 1 mbyguvcp 

and the plaintext in more readable form gives the clou: 

“A good glass in the Bishop’s hostel in the Devil’s seat—forty-one degrees 
and thirteen minutes—northeast and by north—main branch seventh limb 
east side—shoot from the left eye of the death’s-head—a bee-line from the 
tree through the shot fifty feet out.” 

15.10.2 Remark. Typically, there was not a word to say that it could not 
have been a polyalphabetic encryption. Poe was monoalphabetically minded. 


15.11 Unicity Distance Revisited 

Knowledge of the probability of an n-gram helps to understand how exhaus¬ 
tion in Sect. 12.7 accomplishes the sorting out of the ‘right’ plaintext and 
why a unicity distance exists. An unlikely sequence of characters is hardly 
a ‘right’ message, but we can hope that a sequence of characters with a 
probability near 1 may be ‘right’. The unicity distance is the smallest length 
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length 1 

length 2 

length 3 

length 4 

length 5 

VFKRQ 

0.76 

0.02 




WG L S R 

2.03 

0.04 




X HMT S 

0.01 

0.01 




Y I N U T 

0.01 

0.06 

0.06 



Z J O VU 

1.21 

0.03 

0.05 



A K PWV 

5.96 

1.88 

0.01 



B L QXW 

1.77 

2.35 




C M R Y X 

3.17 

0.03 




D N S Z Y 

5.22 

1.44 

0.01 



E O T A Z 

17.98 

1.58 

0.11 

1.27 


F P U B A 

1.23 

0.19 

0.03 



GQVCB 

3.25 





HRWD C 

4.61 

9.54 

0.45 



I S X E D 

7.97 

20.30 

0.01 



J T Y F E 

0.06 





K U Z G F 

1.12 

2.34 




L V A H G 

3.19 

0.71 

0.11 



MW B I H 

2.47 

0.86 




N X C J I 

11.06 

0.03 




OYDKJ 

2.00 

0.14 

0.01 



P Z E L K 

0.59 

0.05 




Q A F M L 

0.01 





R B G NM 

6.42 

6.38 

0.05 



S C H O N 

7.48 

22.84 

90.51 

98.73 

100.00 

T D I P O 

5.55 

9.09 

8.56 



U E J Q P 

4.87 

20.09 

0.03 




100.00 

100.00 

100.00 

100.00 

100.00 


Table 20. Step by step sorting out of the ‘right’ plaintext 
according to n-gram probabilities (in %) 


of a text that has probability near 1 for one of the possible decryptions and 
probability near 0 for all other possible decryptions. 

A human sorts out the ‘right’ plaintext (‘running down the list’) by an opti¬ 
cal and cerebral perception process, but this can be simulated by statistical 
analysis. 

For the example of Table 6, beginning with the sixth columns, this is shown 
in Table 20. The multigram probabilities have been determined by the text 
basis SZ3-92 and are normalized to 100%, empty fields mean probabilities 
below 0.005%. The unicity length is in this example clearly 5. 

This exhaustion, however, has its limits if it goes into the ten thousands of 
trials, and is inappropriate for full monoalphabetic encryption if no further 
information can be used. 


No monoalphabetic substitution can 
maintain security in heavy traffic. 

David Kahn 1967 
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Kappa and Chi 


Riverbank Publication No. 22, 
written in 1920 when Friedman was 28, 
must be regarded as the most important 
single publication in cryptology. 

David Kahn 1967 

Astonishingly, given a monoalphabetically encrypted cryptotext, it is easier 
to say whether it is in English, French, or German, than to decrypt it. This 
is also true for plaintext: there is a reliable method to test a sufficiently long 
text for its membership of a known language, without ‘taking notice’ of it— 
without regarding its grammar and semantics—and there is a related test 
to decide whether two texts belong to the same language, without closely 
inspecting them. 

Indeed, there exists a particular invariant of a text under monoalphabetic 
encryption, which is discussed in the following, and a related invariant of a 
pair of texts which is even invariant under a polyalphabetic encryption of 
both texts with the same key. And these invariants have peculiar values 
which differentiate between most of the common Indo-Germanic languages. 

16.1 Definition and Invariance of Kappa 

Given a pair of texts T = (ti, t%, t ^,... 4m) , T' = (f^, t' 2 , t' 3 ,... t' M ) of equal 
length M > 1 over the same vocabulary Zm . 

The relative frequency of finding in the two texts the same character at 
the same position (the character coincidence, in the sequel marked by *) is 
called the Kappa of the pair of texts (William F. Friedman 1925, ‘index of 
coincidence’, often abbreviated I.C.). Thus 

M 

Kappa(T, T') = 

At=l 

with the indicator function (‘delta function’) 

S(x, y) = { 1 ^ x ~ y 

10 otherwise 
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Example 1 (M = 180) 

T: theprecedi ngchapterhasi ndi catedhowam 

T': wouldsee mt hat one way t oo bt ai ngreaterse 
* * * 

onoal phabeti cci phercanbesol vedeveni f 

curi tywoul dbetousemo rethanoneal phabe 

* * 

theoriginalwordlengthsareconcealedan 
t i n e n c i p h e r i ng a me ssagethegeneral syst 

dthesubsti tuti onal phabeti srandomi ti s 

e me o ul dbeonethatusesanumb erofdi ffere 
* * * * 

possi bl etof i ndasol uti onbyusi ngf reque 

nt al phabe t sf orenci pher me n t wi t h a n u n d e 

* * 

Example 2 (M = 180) 

T: estauchtvonzeitzuzeiti mme rwi ederei n m 

T': untersch we i zerpol i ti kern wa echstdi ean 

* * * * 

a 1 a u f umk urzdaraufei 1 ferti gde me nt i e r t 

gstdennaechstenzugrichtungegzuverpas 

* 

zuwerdendasgeruechtdasssichdieoelexp 

senaussenmi n i sterrenefel bersahsi chj e 

* 

orti ere n deni aendervo mdol 1 arl oesenwol 
t z t u e b e r r as c h e n d e i n e r f or d e r ungaus d e m 

1 enzuverde nkenwaereesi hnenf rei 1 i chni 
staenderatausgesetzteinbeitrittsgesu 

In example 1 (English) there results Kappa(T,T') = 17/180 = 9.44%; in 
example 2 (German) Kappa(T,T') = 21/180 = 11.67%. 

16.1.1 Dependence on language. Obviously 
Kappa (T, T') < 1, where 
Kappa(T,T') = 1 if and only if T = T'. 

There is the empirical result that sufficiently long texts T GS , T' gS from one 
and the same language S (or rather from the same genre of this language) 
have values Kappa(T,T') close to some ks , while ks varies from language to 
language. In the literature the following values of ks are given: 
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5 

N 

US (Kullback 1976) 

Ks (Eyraud 

English 

26 

6.61% 

6.75% 

German 

26 

7.62% 

8.20% 

French 

26 

7.78% 

8.00% 

Italian 

26 

7.38% 

7.54% 

Spanish 

26 

7.75% 

7.69% 

Japanese (Romaji) 

26 

8.19% 


Russian 

32 

5.29% 

4.70% 


The values in the literature fluctuate: 6.5-6.9% for English, 7.5-8.3% for 
German. From the text corpus mentioned in Sect. 15.5.4, there results for 
the English language a value of n e = 6.58%, from the text basis SZ3-92 for the 
German language a value of K d = 7.62%, in good agreement with the values 
of Kullback. French and Spanish, for example, come very close. Bletchley 
Park, in WWH, calculated K d « A = 5.88% for German Navy signals. 

The values for ks, the empirical Kappa of a language S, seem to reflect 
somewhat the redundancy of the languages: The translation of the Gospel of 
St. Mark, with 29 000 syllables in English (according to H. L. Mencken), needs 
in the Teutonic languages on average 32 650 syllables, in the Romance lan¬ 
guages on average 40 200 syllables (36 000 in French), in the Slavic languages 
on average 36 500 syllables. But there is no strict connection. 

16.1.2 Language recognition. Two results stand out: 

Invariance Theorem 5: For all polyalphabetic, functional simple sub¬ 
stitutions, especially for all polyalphabetic linear simple substitutions 
(including VIGENERE additions and BEAUFORT subtractions), 
the Kappa of two texts of equal length, encrypted with the same key, 
is Invariant. 

Invariance Theorem 6: For all transpositions, 

the Kappa of two texts of equal length, encrypted with the same key, 
is Invariant. 

Provided Kappa is typical, the cryptotext reveals the underlying language. 

16.1.3 Expectation values. The expectation value (Kappa(T,T'))QQi 
for the Kappa of two texts of equal length M over the same vocabulary Zm is 
calculated from the probabilities Pi, p\ of the appearance of the i-tli character 
in the ‘stochastic sources’ Q, Q' of the texts: The expectation value for the 
appearance of the character Xi i n the /i-tli position of the texts is pi ■ p ' t ; 
which gives the expectation value for Kappa(T,T') 

(Kappa{T,T')) Q Qf = ^p* -p' . 

i= 1 

If the two sources are identical, Q' = Q, then p[ = pi and 

N 

(*) {Kappa{T,T')) Q = ^p* . 

i= 1 
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This equation relates the definition of Kappa with the classical urn experi¬ 
ment of probability theory. 

Theorem: For identical sources Q' = Q , 

jf < ( Kappa(T,T')) Q < 1 ; 

the left bound is attained for the case of equal distribution: Qr : p, ; = A, 
and only for this case; the right bound is attained for every deterministic 
distribution Qj : pj = 1, pi = 0 for i yt j , and for no other distribution. 

As said above, from the hypothetical probability distribution in Sect. 15.5.4, 
Table 8, 

K e = (Kappa(T, T')) English = 0.06577 « A, 

K d = (Kappa(T,T')) G e rman = 0.07619 W A . 

For the source with equal distribution Qr (TV = 26), 

k r = (Kappa(T,T')) R = 0.03846 = A 

Thus, the Kappa test differentiates English and German sources clearly from 
a source with equal distribution: 

Ke /KR = N ■ K e = 1.71 , Kd/ftR = N ■ K d — 1.98 . 

A rule of thumb for the common languages is: 

The ratio {KappaiT,T’))s/(Kappa(T,T'))ji is close to two. 

16.2 Definition and Invariance of Chi 

Given again two texts of equal length M over the same vocabulary of N 
characters, T = (G, tg, £ 3 , • ■ • £m) , T' = (ti,t' 2 ,t' 3 ,... t' M ). Let rrij, to' de¬ 
note the frequency of the appearance of the character \i in the texts T, T', 
respectively; then to* = M , YliLi to' = M. 

Chi denotes the ‘cross-product sum’ (Solomon Kullback, 1935) 

N 

Chi(T, T') = (^to,; • to')/M 2 . 

1=1 

Written homogeneously, the definition is 

N N N 

Chi{T,T') = (J^TOi • to')/( C^mi) ■ ). 

2=1 2=1 2=1 

The two texts in Sect. 16.1, Example 1, have the following frequencies 

abcde f g h i j k lmnopqr s tuvwxyz 

T 15 689 21 34 10 17 0082 14 13 618 11 14 522010 

T' 15 6 4 5 30 4 4 9 8 0 0 6 6 15 12 4 0 10 10 17 8 0 4 0 3 0 

2151 


This results in 


Chi(T, T') 


180-180 


6.64%. 
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For the two texts in Sect. 16.1, Example 2, the frequencies are 

abccle f gh i j k lmnopqr s t uvwxyz 

T 10 04 11 35 425 15 02 10 6 14 710 15 79934106 

T' 11 3 6 6 33 2 7 7 12 1 1 2 2 16 2 2 0 15 18 16 10 1 2 0 0 5 

This results in Chi(T, T') = 1 gQ.^| 0 = 7.69%. 

16.2.1 Chi. In analogy to Sect. 16.1.1, for simple geometric reasons 
Chi{T,T') < 1, where 

Chi{T,T') = 1 if and only if T and T' are built 
from one and the same character. 

If all to, are equal, to,; = M/N , then (for arbitrary to') 

Chi(T,T')=± = K R . 

Empirically, one finds again that for sufficiently long texts from one and the 
same language S (or from the same genre of this language) not only are 
values of Chi rather close to some value typical for the language, but also 
this value is close to the value of Kappa for this language. This will be 
clarified in Sect. 16.3 . 

16.2.2 Psi. There is the important special case T' = T, m! i = to, . Let 

N 

Psi(T) = Chi(T, T) = J2 m i / M2 . 

i= 1 

From Steiner’s theorem, 0 < w) 2 /^ 2 = J2iLi m i/M 2 ~ jj > 

jt < Psi(T) < 1, where 

Psi(T) = = kr if and only if all ?n,; are equal, 

Psi(T) = 1 if and only if T is built 

from one and the same character. 

For the rare case M < N of an extremely short text even 

< Psi{T) , where Psi(T) = if and only if to, € {0,1}. 

16.2.3 Invariance. Chi and Psi have invariance properties, too. In con¬ 
trast to Kappa , there is a weaker statement: 

Invariance Theorem 7: For all monoalphabetic, functional simple 
substitutions, especially for all monoalphabetic linear simple substitu¬ 
tions (including VIGENERE additions and BEAUFORT subtractions), 
the Chi of two texts of equal length, encrypted with the same key, as 
well as the Psi of a text, are invariant. 

Invariance Theorem 8: For all transpositions, 

the Chi of two texts of equal length, encrypted with the same key, as 
well as the Psi of a text, are invariant. 

In so far as Kappa, Chi or Psi are characteristic for a language, the language 
can be determined from the cryptotext. 
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16.2.4 Expectation values. The expectation value (Chi(T\T')) qq/ for 
the Chi of two texts T £ S, T' £ S of equal length M over the same vocabulary 
Zjy is calculated from the probabilities Pi, p' t of the appearance of the i-th 
character in the ‘stochastic sources’ Q , Q' of the texts: The expectation value 
for the multitude of the character \i i n T is pi ■ M , in T' is p\- M , giving 
the expectation value for Chi(T,T’) 


N 

< chi(T,r))QQ' = y £pi-Pi • 

i=1 


If the two sources are identical, Q' = Q, then p[ = pi 

N 


(*) 


In particular, 


(chi(T,r)) Q = J2 p1 ■ 

N 

{Psi(T)) Q = Y.P 2 i- 

i=\ 


and 


Theorem: For identical sources Q' = Q , 

±<(Chi(T,T')) Q <l, 

and in particular 

±<(Psi(T)) q < 1 . 

The left bound is attained for the case of equal distribution: Qr : pi = 
and only for this case; the right bound for every deterministic distribution 
Qj : pj = 1, pi — 0 for i ^ j, and for no other distribution. 

Amazingly, the expectation values marked by (*) ( Kappa(T,T'))Q (see 

16 . 1 . 3 ) and ( Chi(T,T'))Q coincide. It will turn out that there is a relation 
even between Kappa(T,T') and Chi(T,T'). 

16.3 The Kappa-Chi Theorem 

For the following, we need two auxiliary functions . 

Y , _ f 1 if C, the /j-tli character of T, equals Xi 

10 otherwise 

Let g[ for T' be defined correspondingly. Then 

N 

K) = ^2 9i,n ■ g'i, v and 

i= 1 

M M 

mi = 9i,n , m'i = Y 9i,v ■ 

fl—1 IS=1 
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16.3.1 Definition. Let T^ be the text T shifted cyclically by r positions 
to the right. Then the number of coincidences between T^ and T' is 

M 

Kappa(T^\T') = E S ( L (M-r- 1 ) mod M +15 O/M. 

/X=l 

In particular, Kappa(T^°\T') = Kappa(T,T’). 

16.3.2 Kappa-Chi Theorem. We now formulate the connection between 
Kappa and Chi: 

M- 1 

- ]T Kappa(T^,T') = Chi(T,T') ■ 

1 p=0 

Thus, Chi(T, T') is the arithmetic mean of all Kappa(T^ r \T'). 


^ M — l 

Corollary : — E Kappa{T^ p \T) = Psi(T). 

1 p =o 


Proof: 

iEm 1 Kappa(T( p \T) = 

Y^=0 EE 1) mod M +1, t' li ) = 


M ■ 

J_ 

M 

J_ 

M 

J_ 

M 

J_ 

M 

J_ 

M 

J_ 

M 


tp —0 

J_ 

M 

J_ 

M 

J_ 

M 

J_ 

M 

J_ 

M 

J_ 

M 


E m ^~\M ^~\N / 

i/=l 2-^u,— 1 Z—/i=l 


E iV ^~\M ^~^,m 

i—1 2—/is=l 2-^ri=l 9i ,/ 


' 9i,u = 


E N /sr-yM / \ /v—vAA \ 

i=l 1 Zi/=1 ' 1Z/j=1 9i,p) ~ 

\—\N i 

E*=i • m i = 


Chi(T,T'). 


CXI 


It now becomes evident that in Sect. 16.1 the values for Kappa with 9.44% 
and 11.67% (accidentally) turned out rather high compared with the average 
values 6.64%i and 7.69% in Sect. 16.2 . 


16.4 The Kappa-Phi Theorem 

The case T' = T shows the peculiarity that Kappa(T^ y> . T) = 1, while for 
r^O essentially smaller ‘normal’ values of Kappa{T^ r \T) are found. Thus, 
the case r = 0 is untypical in the averaging process, and it would be more 
natural to extend the mean over the remaining m — l cases only: 

M—l 

y E Kappa{T^\T). 
p=i 
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16.4.1 Kappa-Phi Theorem. Now 

®b ■ £pE Kappa(TM,T) 

®b ■ (£f = o KappaiT M, T) - 1) = ^ • (M • Psz(T) - 1) 

-1) = -M) = 

Mb • S • (Ef=iK - = Mb • M • (Eti ^ • K -1)) • 

Thus, we define a new quantity 

N 

Phi(T) = mi ■ ( mi - 1 ))/(Af • (M - 1)) 

i=l 

and state the Kappa -Phi theorem: 

M—1 

E Kappa(T^,T)) = Phi(T). 
p= i 

The calculation of Phi(T) presents the small advantage, compared with 
Psi(T ), that not only for the case to, = 0 but also for to, = 1 nothing 
is contributed to the sum. This is useful for the rare letters in short texts. 
Note that Phi(T ) = 0 holds if and only if all to, € {0,1} . 

But there is another reason why people in the field work predominantly with 
Phi instead of Psi: it was Solomon Kullback who, using suitable stochastic 
arguments, first proposed the test for Phi (apart from the test for Chi). 

Example 3: For the cryptotext T (M = 280) of Sect. 15.8.1, with the fre¬ 
quencies stated there, 

280 2 • Psi(T) = 289+16+169+0+49+289+ 529+676+25+144+9+4+4+ 
1296+625+1+25+0+0+529+400+9+36+81+169+64 = 5438, 

280 • 279 • Phi(T) = 272+12+156+0+42+272+ 506+650+20+132+6+2+2+ 
1260+600+0+20+0+0+506+380+6+30+72+156+56 = 5158, thus 

Psi(T) = 5438/78400 = 6.936% ; Phi(T) = 5158/78120 = 6.603%. 

Moreover, with the frequencies of bigrams, i.e., with the text T** = TxT^\ 
one obtains 

Psi(T**) = 871/77841 = 1.119%; Phi(T**) = 592/77562 = 0.763%. 

16.4.2 Difference. Phi(T) is not very different from Psi(T): Since 

M ■ Psi(T) = (M - 1) • Phi(T) + 1 , 

Psi(T) - Phi(T) = = b® , thus 

Phi(T) < Psi(T). 

Moreover, ' ~k T Phi(T ) (useful for the frequent case M>N> 1) holds; 

equality holds if and only if all mi are equal. 



328 16 Kappa and Chi 


16.4.3 Invariance. Phi has the same invariance properties as Psi: 
Invariance Theorem 7* phl ); For all jnonoalphabetic, functional sim¬ 
ple substitutions, especially for all monoalphabetic linear simple sub¬ 
stitutions (including VIGENERE additions and BEAUFORT subtrac¬ 
tions), 

the Phi of a text is invariant. 

Invariance Theorem 8' phl ) : For all transpositions, 
the Phi of a text is invariant. 

16.4.4 Expectation values. The expectation value {Phi(T))^' > for the 
Phi of a text T of length M is calculated likewise from the probabilities pt 
of the appearance of the i- th character in the ‘stochastic source’ Q of the 
text: The expectation value for Phi(T ) depends on M, too: 

<■ Phi{T )> W • (Eti Vi ■ 0 Pi - s)) • Thus 

(Phi(T))^ > / M^T ' (n ~~ m) = n ‘ m -l T ^ ^ ■ 
x y " Q ~ \ 0 if M < N ’ 

equality holds if and only if all m, are equal. 

As M gets larger and larger, the expectation value for Phi(T ) approaches 
the expectation value for Psi(T) , namely 

(Phi(T))^ = ^ =1 pl 

16.5 Symmetric Functions of Character Frequencies 

The invariance stated in Theorems 7 and 8 for Psi holds for all symmetric 
functions of the character frequencies ?n,;. The simplest nonconstant polyno¬ 
mial function is indeed Efli TO | • It is a member of the following interesting 
family: 1 

f (Eti( m >/ M ) a ) 1/( °" 1) if 1 < a < oo 

Psi a {T ) = | exp(EiIi (rrii/M) • In (nn/M)) if a = 1 
t max^i (m,/M) if a = oo 

with the normalization E^-i (to ; ;/M) = 1. Psi^ is Psi. Generalizing the 
result of Sect. 16.2.2, 

For all a in the domain 1 < a < oo , 

Psi a (T ) = = k.r if and only if all rri, are equal. 

The interesting new functions are Psi\ and Psi 0 0 , which are the continuous 
limit functions of the family. Psi\ has also the representation 

N 

Psii(T)= . 

i =1 

1 With x • In a: 0 for x \ 0 ; x x /* 1 for x \ 0 . 
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The logarithmic quantity —Id Psi a (T) is called the Renyi a-entropy of T 
(Renyi, I960) 2 ; the family has the following representation: 


f ~Ai ' ld (Eili {m/ M ) a ) if 1 < a < oo 

-Id Psi a {T) = | ( rrii/M )) if a = 1 

[ — max^j ld (■ nrii/M) if a = oo 

Renyi 1-entropy —ld Psi± is the Shannon entropy (Claude E. Shannon 1945) 3 . 
Renyi 2-entropy —ld Psi 2 should be named the Kullback entropy. 

Figure 129 shows the graph of —ld Psi a for TV = 2 and for some values of a. 
For the English text T (.M = 280) of Sect. 15.8.1, for single characters, 
Psi\{T) = 5.852% -ldPszi(T) = 4.095 

Psi 2 (T) = 6.936% -ld Psi 2 {T) = 3.850 (Sect. 16.4.1) 

Psioo(T) = 12.857% -ldPsi 00 (T)= 2.959 . 


For bigrams, the entropy values are slightly smaller, 


/ Psi\{T x TW) = 
/Psi 2 (T x T(b) = 
'Psi 00 {TxTO) = 


9.37% 

10.58% 

17.96% 


— |ld Psh(Tx T^) = 3.42 
-|ld Psi 2 (Tx TW) = 3.24 (Sect. 16.4.1) 
-ildPsZoo(Tx T^P) = 2.48. 


2 Alfred Renyi (1921-1970), Hungarian mathematician. 

3 Claude E. Shannon (1916-2001), American mathematician, engineer, and computer sci¬ 
entist, first became famous in 1937 with a publication on relay circuits and Boolean 
algebra (A Symbolic Analysis of Relay and Switching Circuits. Trans. AIEE 57 , 713- 
723, 1938). In 1941, at Bell Laboratories, he worked on mathematical problems in 
the communication of noisy and secret messages. This led him into information the¬ 
ory (A Mathematical Theory of Communication, Bell System Technical Journal, July 
1948, p. 379, Oct. 1948, p. 623 and, together with Warren Weaver, Mathematical The¬ 
ory of Communication. Univ. of Illinois Press, Urbana 1949). 
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It may be laid down as a principle that it is never worth 
the trouble of trying any inscrutable cypher unless its 
author has himself deciphered some very difficult cypher. 

Charles Babbage 1854 

The Babbage rule would have deprived cryptologists of some 
of the most important features of modern cryptography, such 
as the Vernam mechanism, the rotor, the Hagelin machine. 

David Kahn 1967 

Even if a multitude of independent alphabets is used, periodic polyalphabetic 
encryption contains one element which is difficult to hide: the number of keys 
in the period of the encryption. This is based on the following stationariness 
property of stochastic sources: If P is a plaintext (of length M) from a 
source Q , then P^ , the plaintext P shifted cyclically by any number s of 
positions, is from the same source. 

Theorem 1: Let pi be the probability for the appearance of the z-th char¬ 
acter in the source Q. Let d be the period of a periodic, polyalphabetic, 
functional, simple and monopartite encryption (for simplicity we assume that 
d\M). Then the encryption C of a plaintext P and , shifted cyclically 

by k-d positions, are from the same source, therefore 

N 

(Kappa(C^ d \C)) Q = E Pi for all k . 

i=i 

Proof: The encryption of p( fc d ), the cyclically shifted P , coincides with 
C^ k ' d \ the cyclically shifted encryption of P. According to Sect. 16.1.3 (*), 
{Kappa{C^ d \C)) Q = (Kappa(P^ d \ P)) Q = . M 

On the other hand, such a statement cannot be made on {Kappa{C^ u \ C))q , 
where d / u . Asa rule, C *■“) = C' and C come from stochastic sources Q' and 
Q which are independent of each other. Thus, if u is not a multiple of d , 

(■ Kappa(C( u \C))Q'Q = J^iLiPiPi may fluctuate around A. 

At least this is so if there are enough alphabets, and if they are chosen such 
that they achieve a thorough mixing of the character probabilities. 
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G E I E I 
FZEKE 
N U B A I 
L N RW E 
X N B X M 
A H U L M 
G N A MI 


A S G D X 
J L V D X 
V S MU K 
Q J N X X 
W A L P N 
K N U M Y 
U K 


V Z I J Q 
WKWK E 
H S S P W 

V V O A E 
F D C F P 
E X D MW 


L M W L A 
T X L B R 
N V L W K 
G E UW B 
X HW Z K 
B X Z S B 


A MX Z Y 
A T Q H L 
A G H G N 
Z W MQ Y 
E X H S S 
C H VW Z 


Z ML W H 
B MX A A 
U MI(W D 
MO ML W 
FXKI Y 
X P HW L 


Fig. 130. Cryptotext of G. W. Kulp (containing the groups LMW, LAAM and MLW) 


17.1 The Kappa Test of Friedman 

17.1.1 Example. William F. Friedman proposed plotting Kappa{C^ u \ C ), 
the index of coincidence between C and C. For the cryptotext in Figure 
130, this plot is shown in Figure 131 (without u = 0, which is outside the 
frame). For multiples of 12, high values are obtained, indicating that 12 
might be a period. 

J. J. J. J. 


hr 


Fig. 131. Kappa plot for the (English) cryptotext of G.W. Kulp 


17.1.2 Kulp. The cryptotext of Figure 130 has a history. It was submitted 
by a Mr. G.W. Kulp to a newspaper in Philadelphia, Alexander’s Weekly 
Messenger, following a request by the cryptologically versed Edgar Allan Poe, 
to send in monoalphabetically encrypted texts with word divisions preserved. 
It was published February 26, 1840 (Fig. 133). Poe demonstrated in a later 
issue that the alleged crypto was not following the rules—he did so by showing 
that any monoalphabetic substitution of suitable proper English words for 
LMW, LAAM and MLW leads a contradiction, and stated that the crypto, “a 
jargon of random characters having no meaning whatsoever”, was false (“an 
imposition”). A glance at the frequency distribution, shown in Figure 132, 
indeed reveals its balanced nature. Thus, frequency matching could not work. 

12 7 2 5 10 4 6 9 6 3 10 12 14 9 2 4 4 2 7 2 7 7 16 15 4 8 

ABCDEFGHI JKLMNOPQRSTUVWXYZ 


Fig. 132. Frequency distribution in the cryptotext of G. W. Kulp 
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17.1.3 Objections. This suggests that the encryption might be polyal- 
phabetic. In fact, the cryptotext gives a value of = 4.56% for Phi, 

or j||| = 5.07% for Psi, close to kr = ^ and too low for monoalphabetic 
encryption of an English text. Bigram substitution was also excluded by the 
rules, and PLAYFAIR was only invented in 1854. Anyhow, as already said, 
Poe was strictly monoalphabetically minded. 

"Ge Jeasgdxv. 

Zij gl mw, laam. xzy zmlwhfzek 
ejlvdxw kwke tx lbr atgh lbmx aanu 
bai Vsmukkss pwn vlwk agh gnumk 
wdlnzweg jnbxvv oaeg enwb zwmgy 
mo mlw wnbx mw al pnfdcfpkh wzkex 
hssf xkiyahul. Mk num yexdm wbxy 
sbc hv wyx Phwkgnamcuk?” 

Fig. 133. Facsimile of the cryptotext of G. W. Kulp (1840) 

(it was found out later that the printer made several errors, 
e.g., reading q as g, and also suppressed one letter) 


17.1.4 Determination of the period. Figure 131 shows that a few values 
of Kappa come close to K e but most of them are slightly above or below kr. 
Large values of Kappa caused by a period should also show large values for 
all multiples; this rather excludes 5 and 15, while 12 cannot be dismissed. 
For the cryptotext of Kulp, a monographic encryption, polyalphabetic with 
a period of twelve is a promising hypothesis, but no more. 

The cryptotext of Kulp, with its 187 characters, is rather short; for longer 
texts the multiples of a period stand out much better. This can be seen in 
Fig. 134 for a text of 300 characters and in Figure 135 for a text of 3 000 
characters, where the period catches the eye. 

17.2 Kappa Test for Multigrams 

The Kappa plot is not limited to single characters. Bigrams and more gen¬ 
erally multigrams can be understood as characters, which however enlarges 
the vocabulary considerably. 

For bigrams, = -^2 = 14.8%% . It is only important, how much Kg* is bigger 
than Kr , and it turns out that the factor of about 2 in the monographic case is 
replaced by a factor 4.5-7.5 for bigrams (Fig. 136): For English, according to 
Kullback, k** is close to 69%% , for German, according to Kullback and Bau¬ 
er, k*[* is close to 112%% . This means a clearer separation of the levels. For 
trigrams, Kg** is by a factor 18-40 larger than k^** = =0.569%% , but even 

with 3 000 characters the fluctuation is remarkable (Fig. 137). According to 
Alexander, the factor is about 100 for tetragrams, about 15000 for hexagrams. 
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Fig. 134. Kappa plot for a (German) text of 300 characters 



Fig. 135. Kappa plot for a (German) text of 3 000 characters 


17.3 Cryptanalysis by Machines: Searching for a Period 

17.3.1 Use of punch cards. It can be safely assumed that in the USA the 
methods of Friedman and Kullback were applied during the Second World 
War, and this by machines. As early as in 1932, Thomas H. Dyer of the 
US Navy had used IBM punched card accounting machines for speeding up 
the work, the US Army followed in 1936. In 1941, the year of Pearl Harbor, 
SIS, the Signal Intelligence Service of the US Army, had 13 accounting 
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Fig. 136. Kappa plot for bigrams (German text of 3 000 characters) 



Fig. 137. Kappa plot for trigrams (German text of 3 000 characters) 


machines at work; in 1945, at Arlington Hall, the number was 407 machines. 
IBM received $750 000 per year for rent. 

In Germany, accounting machines were used, too. They were, as elsewhere, 
particularly needed (see also Sect. 18.6.3) for stripping superencryption from 
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codes. But they were also helpful for performing a Kappa test. For this 
purpose, they were also used (according to Kahn and Takagi) by the Japanese. 
Forerunners of such automatic processing by punch card machinery were 
perforated sheets of paper (‘overlay sheets’), used in Britain and elsewhere. 
If used for coincidence counts, the cryptotext was recorded by punched holes 
in a binary l-out-of-26 code. While for a single coincidence count it suffices 
to write the texts one below the other, as done in Sect. 16.1, for a Kappa 
test the count is to be done repeatedly for shifted texts. Then the extra 
effort in preparing the overlay sheets is worthwhile, since the coincidences 
are seen ‘at a glance’ by light shining through the hole. This coincidence 
determination is not only much quicker, it is also more reliable. Figure 138 
shows such sheets as they were used in Bletchley Park, where they were called 
‘Banbury sheets’, because the punching was done in Banbury, a nearby small 
town. Single character coincidences as well as multigram coincidences can be 
detected and counted this way (Fig. 139). 

Punching the Banbury sheets can be done by hand. Using some simple 
machinery, a more refined coding, which saves paper, can be made, e.g., 
a 2-out-of-5 code for use in encoding decimal digits, or a 2-out-of-10 code, 
enough to encode both letters and digits, as was used in the German OKW 
Cipher Branch by Willi Jensen. However, these codings, including the tele¬ 
type 5-bit code, require more complicated means for automatic detection and 
registration of coincidences. 

17.3.2 Recording of repetitions. In the Cipher Branch of the German 
OKW (dubbed OKW/Chi, Group IV Analytische Kryptanalyse, headed by 
Erich Hiittenhain), a special device was built by Willi Jensen for the deter¬ 
mination of coincidences (‘Doppler’) and distances. Called the Perioden- und 
Phasensuchgerat (Fig. 140), it worked with two identical 5-channel teletype 
punched tapes, closed into a loop. One of the loops contained an additional 
blank punch. With each completed cycle through a pair of scanners, the 
phase between the two messages was shifted by one position. This ‘saw- 
buck’ principle seems to have been well known and used at several other 
places, too. The scanners were photoelectric and used for comparison a relay 
circuitry (Zeichenvergleichslabyrinth). The recording was done mechanically, 
and for a given shift the length of a stroke was proportional to the length of 
the repeated sequence (the ‘length of the parallel’). After a completed cycle 
the recording unit moved forward one position. 

Moreover, a second recording unit counted only the bigram coincidences, a 
third one the trigram coincidences, and so on up to 10-gram coincidences 
(‘parallels’). The devices automatically gave a Kappa plot for single charac¬ 
ters, bigrams, etc. With a scanning speed of 50 characters per second this 
took two hours for a text of 600 characters and was about a hundred times 
faster than work by hand. The device was destroyed at the end of the war. 
The available material on the work of Jensen contains no references to Fried¬ 
man, but it can be safely assumed that at least his early, published work 
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Fig. 138. Perforated sheet with segment of the cryptotext in Fig. 130 
NUBAIVSMUKHSSPWNVLWKAGHGNUMKWDLNRWEQJNXXVVOAEGEU 



Fig. 139. Overlay of two perforated sheets with segments of the cryptotext in Fig. 130 , 

shifted by 72 characters 

NUBA I V SMUKHSSPWNVL WKAGHGNUMKWDL N R WEQ JNXXV V OAEG EU 
CFPXHWZKEXHSSFXK I Y A HULMKNUMY E XDMW B XZSBCHVWZXPHWL 

was known to Hiittenhain. However, he could have known about Friedman’s 
main work 1 of 1938-41, which was classified, only by intelligence. 


1 William F. Friedman, Military Cryptanalysis, War Department, Office of the Chief Sig¬ 
nal Officer. Washington, D.C.: US Government Printing Office. Vol. I: Monoalphabetic 
Substitution Systems 1938, 1942. Vol. II: Simpler Varieties of Polyalphabetic Substitu¬ 
tion Systems 1938, 1943. Vol. Ill: Simpler Varieties of Aperiodic Substitution Systems 
1938, 1939. Vol. IV: Transposition and Fractionating Systems 1941. A copy is in the 
University of Pennsylvania Library, Philadelphia, PA. 
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Fig. 140. Registration of coincidences in a Perioden- und Phasensuchgerat 
(Willi Jensen, Hilfsgerate der Kryptographie. Draft of a Thesis, 1953) 


17.3.3 The Robinsons. In Britain, the manual work with perforated 
sheets was mechanized by the HEATH ROBINSON 2 , ready in May 1943. 


2 W. Heath Robinson was a British cartoonist who drew magnificent and lovely but im¬ 
practical machines for all possible and impossible tasks. There were copies of HEATH 
ROBINSON called PETER ROBINSON and ROBINSON AND CLEAVER—names of 
London department stores. By the end of 1943, 12 ROBINSONs had been ordered. 
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Designed by C. E. Wynn-Williams, it had comparator and counting circuits 
and could read photoelectrically two loops of 5-channel teletype punched 
tapes with up to 2 000 characters per second, thanks to some electronic cir¬ 
cuitry for fast counting. According to Donald Michie, HEATH ROBINSON 
used the saw-buck principle, too, and should have served well for coincidence 
examination and the finding of repetitions. It was flexible enough to serve also 
for stripping superencipherment and forming difference tables (Sect. 19.3). 
Actually, after W. M. Tutte had explored the internal structure of the cipher 
teletype machine SZ40 (Sect. 19.2.6), the machine was used mainly for the 
Z 2 addition of a key text to the cryptotext, shifted until the right phase was 
met. SUPER ROBINSON (finished May 1945) had four tapes; DRAGON 
(for ‘dragging text through’) had similar objectives. While the Bletchley 
Park version was electronic, the American DRAGON was made with relays. 
SUPER ROBINSON was still suffering mechanical wear. An improvement 
was COLOSSUS, which had one loop stored internally with the help of vac¬ 
uum tubes and thus was able to process 5 000 characters per second without 
mishap. We shall come back to ROBINSONs and COLOSSUS in Sect. 19.3 . 

17.3.4 Comparators. More is now known on American special devices 
for periodicity examination by Kappa test (‘I.C.’) through the work of Colin 
Burke. Vannevar Bush (1890-1974), well known already for his pioneering 
work on analog computers (the Differential Analyser) for solving differential 
equations, started in 1937 to build a device for counting coincidences, named 
COMPAR ATOR, for OP-20-G, the cryptologicaL branch of the US Navy, fol¬ 
lowing specifications of its head, Joseph N. Wenger. It worked in a l-out-of-26 
code, too. But unlike the British, who at first used approved engineering tech¬ 
nologies, Bush had high-flying plans for very fast photoelectric scanning and 
electronic counters (in a l-out-of-10 code). In 1937 it was risky to make an 
electronic device with more than 100 vacuum tubes working together. The 
project also failed for organizational reasons. Nevertheless, it was contin¬ 
ued, which can be explained perhaps with the role Bush played as director 
of the National Defense Research Committee (later Office of Scientific Re¬ 
search and Development ) during the war. Its slow and insufficient progress 
not only robbed Admiral Stanford Caldwell Hooper, Chief of Naval Commu¬ 
nications and his aide Wenger, the proponent of pure cryptanalysis that runs 
without intuitive guidance, of their immediate success, but also delayed the 
Navy’s OP-20-GY in its use of cryptanalytic machinery. Correspondingly, in 
1941, if not earlier, the USA was surpassed in its cryptanalytic knowledge 
and machine potential against machine-encrypted communication channels 
by Britain. It was not until 1946 that things turned around. 

Pure cryptanalysis, however, had its strong advocates among the mathemati¬ 
cally minded cryptologists. A small group under the experienced Agnes Dris¬ 
coll nee Meyer, with the support of the mathematician Howard T. Engstrom, 
attacked the ENIGMA with methods of pure cryptanalysis. For this task the 
microfilm machine HYPO (the ‘Hypothetical Machine’) was built in 1942, 
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and was operational late in 1943. It was directed against German ‘ofUzier’ 
messages, i.e., superencrypted ENIGMA messages, and against ‘duds’, mes¬ 
sages where steckering, ring setting and rotor order are known, but the initial 
rotor position is not, or against garbled cipher text. Specially oriented against 
the Japanese rotor machines were the relay machines VIPER and PYTHON 
(designed about 1943) and descendants like the electronic RATTLER. 

17.3.5 RAM. Next to Kappa , Chi can also be used in periodicity exami¬ 
nation, as we shall show in Sect. 17.5 . The Chi test, proposed by Kullback 
in 1935, was not favored in 1937, because it involved not only counting but 
also additions and even multiplications; however it was adopted in 1940, and 
in the RAM machines (‘Rapid Analytical Machines’) in 1944 it achieved the 
success it deserved. In principle, the COLOSSUS machines were able to per¬ 
form a Kullback examination, but whether this was actually done is not clear. 

As soon as electronic universal computers were ripe, they were used in crypt- 
analytic work. The first special-purpose, dedicated computer models named 
DEMON, OMALLEY, HECATE, WARLOCK were in use by the end of the 
1940s, then an advanced COMPARATOR, GOLDBERG 3 , and the ATLAS I 
and ATLAS II computers became operational at the beginning of the 1950s. 
More and more of the effort in cryptanalysis was transferred into the pro¬ 
gramming of universal computers with fast special and often secret additional 
circuitry (Supercomputer CRAY, Plate Q). 

17.4 Kasiski Examination 

As a meager limit case of the Kappa plot for multigrams, only long multigrams 
that occur repeatedly are determined, and the distances between the repeti¬ 
tions are recorded. This search for ‘parallels’ ( Parallelstellensuche ) was pub¬ 
lished in 1863 by F. W. Kasiski; before the age of Friedman and Kullback, 
it was then the preferred systematic means of attack by professional decryp- 
tors against polyalphabetic encryption, and shattered at least in the periodic 
case the widespread belief that this encryption is unbreakable (Sect. 8.4.2). 

17.4.1 Early steps. Unsystematic attacks on polyalphabetic encryptions 
started shortly after they were invented. Giambattista Della Porta was some¬ 
times lucky: OMNIA VINCIT AMOR was the (too) short and not at all 
esoteric key once used by an incompetent clerk, and it took Della Porta only 
a few minutes to guess it and break into the encryption. He himself used only 
long keys and advocated the use of keys far from daily use. And Giovanni 
Batista Argenti, given by his lord Iacomo Boncampagni, Duke of Sora— 
nephew of Pope Gregor XIII—the following cryptogram to test his ability, 

QAETEPEEEACSZMDDFICTZADQGBPLEAQTAIUI 
solved it quickly, as he wrote, on October 8, 1581; he was guessing the key 

3 Said to be named after Rube Goldberg, American counterpart to Heath Robinson. Pos¬ 
sibly an allusion to Emanuel Goldberg, an inventor of photoelectric sensing. 
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INPRINCIPIOERATVERBUM and relying on the fact that the Duke had al¬ 
ways used self-reciprocal permutations of the kind Della Porta had described 
in 1563 (see Sect. 7.4.4, Fig. 65)—why should the Duke have invented some¬ 
thing on his own? The plaintext was the beginning of the TEneid of Vergil 
arma virumque cano troice qui primus ab oris. 

Della Porta had early on a methodical idea: If with an Alberti disk the crypt 
alphabet is shifted at every step by one position, then certain frequently 
occurring bigrams like /ab/, /hi/, /op/ and trigrams like /def/ (in deficio) 
or /stu/ (in studium) generate letter repetitions in the cryptotext. Della Por¬ 
ta found MMM and 51 positions later MMM again, and he concluded that 
the key should have period 17 and be repeated three times, since the period 
51 would be too long and the period 3 too short for a clever cipher clerk. 

Della Porta came within a hair’s breadth of finding Kasiski’s method. All it 
needed was to understand that the pattern 111 did not matter, but just the 
repetition itself of some cryptotext fragment, caused by a coincidence of a fre¬ 
quent plaintext fragment with one and the same piece of the repeated key, 
which should normally happen only in a distance which is a multiple of the 
period. Had Della Porta noticed this and published, polyalphabetic encryp¬ 
tion would not have been invulnerable still at the time of Edgar Allen Poe. 

The following simplified example by Kahn may illustrate the Kasiski exami¬ 
nation: Assume a VIGENERE method in Z 26 works with a key RUN of the 
(too) small length 3 : 

tobeornottobethatisthequestion 
R UNR UNR UNR UNR UNR UNR UNR UNR UNR UN 

K_I OJV I E E I G KJ O V N URNVJ NUVKHVMGZI A 

Then the key fragment RUNR meets the plaintext fragment /tobe/ twice 
in a distance 9, which results in the repeated fragment KIOV, moreover the 
key fragment UN meets the plaintext fragment /th/ twice in a distance 6, 
which results in the repeated fragment NU . The distances 9 and 6 must be 
multiples of the period, which can only be 3 (or 1). 

A similar example with a key COMET of length 5 is 

therei sanoth erf a mo us pi anopl ay 
COMET COMET COMET COMET COMET COME 
V V Q V X KGMRH V V Q V Y C A A Y L R WM R H R Z M C 

In this example the distances of the repeated fragments are 10 and 15, so the 
period can only be 5 (or 1). 

17.4.2 Babbage on decryption. Ten years before Kasiski, Charles Bab¬ 
bage may have had an inkling of the importance of repetitions. Not only 
did he like to read the monoalphabetically encrypted messages in the agony 
columns of the Victorian London gazettes, he also liked to look inside polyal- 
phabetics with word division. His dealing with linear simple encryption steps 
led him in 1846 to a description of VIGENERE encryption steps by mathe- 
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matical equations (Sect. 7.4.1, 7.4.3), and thus he could find solutions by 
using probable words in the plaintext as well as in the key. Via such suc¬ 
cesses, as the Babbage papers in the British Museum show, he developed 
an understanding for the subtleties of periodic encryptions, although even if 
he found out about the importance of Kasiski repetitions, as Ole Immanuel 
Franksen suggested in 1984, he did not write about this. 

Thus, the honor of first finding a systematic means of attack against polyal- 
phabetic encryption, not even limited to linear substitutions, and hence 
founding modern cryptology, goes to a retired Prussian infantry major. Fried¬ 
rich W. Kasiski was born November 29, 1805 in Schlochau, West Prussia (now 
Czluchow, Poland). In 1822 he entered the East Prussian 33rd Fusilier- 
Regiment Graf Roon, where he served until 1852. In his leisure time he turned 
to cryptography. In 1863 his 95-page booklet Die Geheimschriften und die 
Dechiffrirkunst was published by the respected Mittler & Sohn in Berlin. 

At first, his publication caused no sensation, and Kasiski turned disappointed 
to natural history, where he won local fame. The revolution in cryptology 
he initiated took place after his death on May 22, 1881. Kerckhoffs com¬ 
mended Kasiski’s work in an important paper of 1883, and the books of de 
Viaris in 1893 and Delastelle in 1902 were based on this. Around the turn of 
the century the revolution was under way, and the vulnerability of periodic 
polyalphabetic encryption was generally accepted among professionals. 

In the light of William F. Friedman’s discovery in 1925 of the index of co¬ 
incidence, the Kasiski examination appears to be a rough method. Bigram 
repetitions are neglected, ‘because they are so frequent’, and single char¬ 
acter repetitions anyway—while Kappa counts all repetitions and asks only 
whether there are more than average. Ignoring bigram repetitions was also 
justified by the fact that in rare cases they can come about accidentally. Even 
with trigrams this occurs, and it disturbs the analysis—while the index of 
coincidence, because of its stochastic nature, is unaffected. 

The Kasiski examination establishes as the period the greatest common divi¬ 
sor of the distances of the recorded repetitions, excluding pragmatically those 
that are considered annoying and presumed to be nothing but accidental 
repetitions. In this respect, the Kasiski examination is intuitive and un¬ 
friendly to mechanization. Moreover, the Kasiski examination needs longer 
texts to be conclusive about a period than the Friedman examination. 
Accidental repetitions are frequently observed and easily explained in case 
of linear substitutions. The reason is the commutative law that holds for 
addition modulo N : /anton/ with the key BERTA and /berta/ with the key 
ANTON give the same. This effect occurs with more than average frequency 
if both plaintext and key are from the same natural language, particularly 
from the same genre. Repetitions in the keytext can also lead to ‘wrong 
repetitions’ in the cryptotext- keys with words like DANSEUSECANCAN, 
VIERUNDVIERZIG can irritate the unauthorized decryptor. We shall come 
back to this in Sect. 18.5 . 



342 17 Periodicity Examination 


17.4.3 An example. The model examples in the literature for a Kasiski 
examination almost always show window-dressing: they present more repe¬ 
titions than can be expected on average. For the following example (Kahn) 
this cannot be said. The plaintext turns out to be a worthwhile recommen¬ 
dation from Albert J.Myer (1866), US Signal Corps officer. The cryptotext 
reads: 


AN YVG 

Y S T Y N 

R P L WH 

RDTKX 

RNYPV 

QTGHP 

H Z K F E 

Y UMU S 

A YWV K 

Z Y E Z M 

E Z U D L 

J K T U L 

J L K Q B 

J UQ VU 

E C K B N 

RCTHP 

KESXM 

A Z O E N 

S XGO L 

P G N L E 

E B MM T 

G C S S V 

MR S E Z 

MX H L P 

K J E J H 

T U P Z U 

E DWK N 

N N RWA 

G E E X S 

L K Z U D 

L J K F I 

XHTKP 

I A Z MX 

F A CWC 

T Q I D U 

WB RR L 

T T K V N 

A J WV B 

R E AWT 

N S E Z M 

0 E C S S 

V M R S L 

J M L E E 

B MM T G 

A Y V I Y 

GH P EM 

Y F A RW 

A O A E L 

U P I U A 

Y YMG E 

EM J QK 

S F C G U 

G Y B P J 

B P Z Y P 

J A S N N 

F S T U S 

S T Y VG 

Y S 




The character frequency count is shown in Figure 141; it is too uniform to be 
explained by a monoalphabetic substitution or by a transposition. Thus, sus¬ 
picion falls on a polyalphabetic substitution. This is supported by the wealth 
of repetitions seen when a Kasiski examination is made. There are nine 
repetitions of length 3 or more, among which some are very long, like LEEB- 
MMTG and CSSVMRS. Their distances are listed in Figure 142 together with 
their prime factor decompositions. The greatest common divisor is 2, but this 
very small apparent period is presumably caused by accidental repetitions. 

14 8 7 5 22 6 12 8 5 11 14 13 16 13 4 13 5 11 18 15 14 10 9 7 16 11 

ABCDEFGHI JKLMNOPQRSTUVWXYZ 

Fig. 141. Frequency count in the cryptotext of Myer 
Fragment Distance Prime factor decomposition 


YVGYS 

280 

2 3 • 

5 • 7 

STY 

274 

2- 

137 

GHP 

198 

2 • 3 : 

2 • 11 

ZUDLJK 

96 

2 5 

• 3 

LEEBMMTG 

114 

2 • 3 

; • 19 

CSSVMRS 

96 

2 5 

• 3 

SEZM 

84 

2 2 • 

3 • 7 

ZMX 

48 

2 4 

• 3 

GEE 

108 

2 2 

• 3 3 


Fig. 142. Prime factor decomposition of distances of Kasiski repetitions 
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Following Kasiski verbatim, the distances are to be decomposed into factors, 
the factor most frequently found being the period. The literature interprets 
this, following M. E. Ohaver, usually that all factors (i.e., not only the prime 
factors) are to be listed (Fig. 143). This leads to the possibility of two fac¬ 
tors occurring equally often, in which case the larger one will be taken if it 
is a multiple of the smaller one—otherwise it might be better to follow two 
possibilities. In Figure 143, apart from the factor 2 which we have dismissed 
as too small, the factors 3 and 6 both occur 7 times. This would make the 
factor 6 our candidate. As it turns out this is right, but we should put it 
down to luck. The correct rule, to take the greatest common divisor of all 
causal repetitions, suffers from the defect that we will only know afterwards 
which ones were causal. Intuitively we are inclined to omit those ‘annoying’ 
repetitions whose distance does not contain an otherwise most-frequent prime 
factor—in Fig. 142 both YVGYS and STY do not contain the otherwise fre¬ 
quent factor 3. Since YVGYS is rather long, it is hard to believe that it is 
accidental, but otherwise 2 would be the period, which is even harder to 
believe. If both GHP and LEEBMMTG were omitted, 12 would be a candidate 
for the period. But since LEEBMMTG is very long, this is unlikely, too. Thus, 
one has to live with the suspicion that 6 is the period. 
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Fig. 143. Factors of the distances of Kasiski repetitions 


No doubt, this shows another weak side of the Kasiski examination. A too- 
small value of the alleged period, caused by an accidental repetition, ruins the 
subsequent process of reconstruction of the alphabets. On the other hand, it 
can happen that the greatest common divisor of all the distances is a multiple 
of the genuine period. This not only causes an increase in the subsequent 
work load, but also makes the reconstruction of the alphabets less safe. 

Under all circumstances, the Friedman examination is more reliable than the 
Kasiski examination. 

Anticipating the later decryption (Sect. 18.1), we note that STY and YVGYS 
will turn out to be accidental repetitions, originating from a linear substi¬ 
tution over Z 26 . The key is SIGNAL , and YVGYS originates the first time 
from /signa /+GNALS, the second time from /gnals /+SIGNA: STY comes 
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the first time from /als/+SIG, the second time from /sig /+ALS. This is ef¬ 
fected by the use of a key word SIGNAL out of the genre of the plaintext. 
It complicates unauthorized decryption and is desirable for the cryptograph. 
By the way, it also blunts the aggressiveness of the Kappa and Chi tests. 

Accidental repetitions can also occur without being the result of commuta¬ 
tivity. The great French cryptologist Etienne Bazeries once had no luck with 
a BEAUFORT encryption: In 1898, in a telegram from the insurgent Duke 
of Orleans, 

GNJLN RBEOR PFCLS OKYNX TNDBI LJNZE OIGSS HBFZN ETNDB . 

he found a Kasiski repetition TNDB of length 4 with a distance 21, but it was 
accidentally produced by ERVE — /lesd/ and by IERV—/ prou/ (the 
key actually was: VENDREDIDIXSEPTFEVRIER). The two further 
repetitions EO and AQ of length 2 occurred with distances 22 and 13 . What to 
do? Bazeries was more confident of the longer repetition TNDB and assumed 
the period 21, but this was a dead end that cost him much time. In the end, 
it turned out that only the short repetition EO of length 2 with the period 22 
was causal. Bazeries remarked bitterly “en cryptographic, aucune regie n’est 
absolue. ” [in cryptography, hardly any rule is absolute.] 

17.4.4 Machines. Despite its weakness the Kasiski examination was still 
used as an auxiliary in the Second World War. The Cipher Branch of the Ger¬ 
man OKW developed and employed a special Parallelstellensuchgerat (Willi 
Jensen)—apart from the Perioden- und Phasensuchgerat (Sect. 17.3.2), us¬ 
able for a Friedman examination. The cryptotext was punched in a 2-out-of- 
10 code (Sect. 17.3.1) on film tape in two copies. One copy (A) was closed 
into a loop and ran continuously through a scanner, while the second one 
(B) advanced one position in its scanner for every finished loop of (A) (saw- 
buck principle, see Sect. 17.3.2). In case of coincidence, two holes met at the 
scanner, which could be discriminated by a photoelectric cell. With the help 
of a diaphragm of varying breadth, it was possible to detect in turn bigram, 
trigram, ... repetitions; within the available accuracy of measurement repe¬ 
titions with up to 10 characters could be searched for. The registration was 
done by a spark on an aluminum plate movable in two directions, one for 
(A) and one for (B). The device was rather fast: to run a bundle of texts 
of 10 000 characters altogether, requiring 10 8 comparisons, took less than 3 
hours. It served mainly to obtain quick information on texts in the bundle 
that were encrypted with the same key, then for detailed investigation the 
Perioden- und Phasensuchgerat was used. The device was destroyed at the 
end of the war, before it had been very long in practical use. 

In the USA, Bush built for OP-20-G in 1943 TETRA (nicknamed ICKY, 
TESSIE, see also 18.6.3), that could find long repetitions, or patterns of 
identical subgroups, and allowed a flexible selection of combinations through 
a plugboard. Around mid-1944, under Friedman, development of a universal 
cryptanalytic machine using microfilm, the Eastman 5202, started. 
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17.4.5 Memex. Photoelectric sensing, as used by the German, US and Bri¬ 
tish cryptanalysts, goes back to early attempts to use it for document retrie¬ 
val. In 1927, Michael Maul of Berlin received patents which were assigned to 
IBM as US Patents 2 000 403 and 2 000 404. The work of Emanuel Goldberg 
(‘Statistical machine’, US Patent 1838 389, Dec. 29, 1931; filed April 5,1928) 
preceded Bush’s 1937 plans both for the COMPARATOR and for the first 
document retrieval system RAPID SELECTOR (later to become‘Memex’). 

17.5 Building a Depth and Phi Test of Kullback 

With a guess at the period d of a polyalphabetic encryption, a simple manual 
process for determining the number of coincidences for shifts by k-d positions 
consists of writing the cryptotext in lines of length d, thus forming d columns 
Ti, T 2 , T 3 , ... Td- In the parlance of cryptanalysts, this is called ‘writing out 
a depth’ or ‘building up a depth’. 
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Fig. 144. Cryptotext of G. W. Kulp, in twelve columns 


Figure 144 shows the result for the cryptotext of G. W. Kulp with the guessed 
period d = 12 (for the definition of f> p see Sect. 17.5.2). Coincident single 
characters ( dopplers ) with the minimal distance d catch the eye immediately, 
e.g., Z in column 12, in the first and second lines. But also repetitions with a 
distance k- d are easily seen, e.g., another Z in column 12, in the last line but 
two. Bigram repetitions (bigram dopplers) show up, too, e.g., the bigram WK 
in the fourth and seventh lines, the bigram MW in the second and eleventh 
lines, the bigram WZ in the twelfth and last but one lines, the bigram NU in 
the sixth, eighth, and last but two lines. 



346 11 Periodicity Examination 


17.5.1 Forming the columns. The minor effort of arranging the cryp¬ 
totext in u columns allows more than finding some Kasiski repetitions. If 
the guess as to the period is correct, then and only then is each column T p 
encrypted monoalphabetically. This should be tested by forming the Phi(T p ) 
for p = 1,2,..., u — 1, u (for convenience, we may assume u\M). In the posi¬ 
tive case, values close to ks and much larger than kr = y, should be expected 
for all Phi(T p ); in the negative case, they should fluctuate. This is the Phi 
test of Kullback, a very sharp criterion for the examination of the period. 

17.5.2 Phi test is better than Kappa test. It may be appropriate to 
form a mean of the values Phi{T p ) for p = 1,2,..., u — 1, u : 

u u N 

Phi^ u \T) = i • E PhiiTp) = i • 

p= 1 p= 1 2=1 

where m[ p ' > is the frequency of the *-tli character in the p -th column. Thus 

u N 

Phi^ (T) = u ■ E 0p /{M ■ (M — u)) , where </> p = E m \ P ^ ' ( m l^ — 1) • 

p— 1 2=1 

Similar to the derivation in Sect. 16.4.1, there is the 

1 M -1 

Kappa -Phi(“) Theorem: - Kappa{T^ p \T) = Phi^ u) {T) . 

~ 1 p= i 

Thus, Phi^ u \T) is the arithmetic mean of all Kappa(T^ u ' p \T ), i.e., of all 
coincidences at distances that are a multiple of u. It turns out to be a very 
sharp instrument. 

17.5.3 Example. For u = 12 there are twelve alphabets, from each one 
there are 16 or 15 characters in a column. Calculation of 4> p gives (Fig. 144): 
for the first column with three S , three N, two G : 

0! = 6 + 6 + 2 = 14; 

for the second column with three N, three U, two B , two F : 

<f>2 = 6 + 6 + 2 + 2= 16; 

for the third column with three M, two A , two B , two X: 

(j) 3 = 6 + 2 + 2 + 2 = 12; 

for the fourth column with four X, two K, two L : 
cj) A = 12 + 2 + 2 = 16 ; 

for the fifth column with four I, three M, three V, three W: 

= 12 + 6 + 6 + 6 = 30; 

for the sixth column with four W, two H , two V: 

06 = 12 + 2 + 2 = 16 ; 
and so on. Thus, 

Zl ir 0p = 190 , Phi {12) = 12 • 190/(187 • 175) = 6.97%. 

Note that K e = 6.58%. Thus, u = 12 could well be the period. 
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Fig. 145. Cryptotext of G. W. Kulp, in eleven columns 


For i4 = 11 there are eleven alphabets, and from each there are 

17 characters 

in a column. 

Figure 145 shows, there 

is a doppler 

W with distance 11 in the 

second and third lines, and 

a doppler V in 

the first, sixth and seventh lines 

of the eleventh column. There are no 

bigram dopplers any longer. 

Calculation of <f> p gives (Fig. 145) 








EpLi ^ 

, = 110 , Phi (n ) = 

= 11 • 

110/(187- 

176) = 

= 3.68% 



Note that 

hr 

= 3.85%. Phi 1 ' 11 ^ is remarkably smaller than Phi 

and even 

smaller than kr. 

L4 = 11 has little chance to be the period. 
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Fig. 146. Cryptotext of G. W. Kulp, in thirteen columns 
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For u = 13 there are thirteen alphabets, and from each there are 14 or 15 
characters in a column. Figure 146 shows that calculation of (j) p gives 
Epli </>p = 126 , Phi {13) = 13 • 126/(187 • 174) = 5.03% . 

Thus, u = 13 also is not a good candidate for the period. 

In this way PhP u > can be calculated for u = 2,3,4,... and plotted (Fig. 147). 
The value for u = 12 is much more conspicuous than in Fig. 131. It can be 
seen that the Kullback examination is a finer instrument than the Friedman 
examination. 

There is a further peak at u = 24, which should be expected. But there 
are also peaks, although slightly smaller, at u = 6 and even at it = 18. It 
therefore cannot be excluded that u = 6 is the period. (The discussion of the 
example will be continued in Sect. 18.5.3 .) 


J. J. J. J. 


K e 


KR 


I_ u 

Fig. 147. Phi (“1 plot for the cryptotext of G. W. Kulp, suggesting plaintext is in English 

17.6 Estimating the Period Length 

From the Kappa-Phi theorem of Sect. 16.4.1 we obtain for the expectation 
values of a cryptotext Q (with a key of period d) 

(Phi(T))W = j^Z“?iKappa(TW,T)) Q . 

From a remark at the beginning of this chapter, we may deduce that 
{Kappa(T^ d \T^) Q = n s , 
moreover, we may find, if u is not a multiple of d, 

<■ Kappa(TW,T)) Q « k r = ± 

Assuming furthermore for simplicity that M is a multiple of the period d, 
then in the sum above: Kg appears ^ — 1 times, k r appears M — times; 
thus ( Phi{T)) { Q I ' > is a mean of ns and k r , 

(M- 1) • {Phi{T)) ( Q I ' > « (f - 1) • k s + ((M - 1) - (f - 1)) • k r . 

Assuming that the observed Phi(T) approximates the expectation value, we 
find (Abraham Sinkov, around 1935): 

(M — 1) • Phi(T) « (f + -!))■««. 
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Although only an estimation, this fundamental relation shows qualitatively 
how with constant stochastic source, but increasing period of a polyalphabetic 
encryption, the value of Phi changes. 

For large M and d <C M one can work with 


Phi(T) « ^ • n s + (1 — \) * kr 
a a 

almost as well. 

Sinkov’s relation can be solved for d: 


( M ^ (M — 1) • (Phi(T) — kr) . 

(-T- 1 )~- ,i-e. 

d Ks~ kr 

, __ ks - k r _ 

” («s - Phi(T))/M + (. Phi{T) - KR ) ' 

For large M and d <C M 


, _ ~ Kr 

Phi(T) - k r 

can also be used. 

For example, for the cryptotext of G. W. Kulp with M = 187, according to 
Sect. 17.1.3, Phi = 4.56%, so with ks = n e = 6.58%, kr = jj = 3.85% 
we obtain 


2.73% 

(2.02%/187) + 0.71% 


3.79 or simplified 


2.73% 

0.71% 


3.85 . 


This value is low compared with a presumptive period d = 12, and would fit 
better with d = 6. But the estimate is rather unstable and should not be 
taken too seriously. The Sinkov estimate can only give support to a serious 
Kasiski, Friedman, or Kullback examination if the period is small. 
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Provided the period d of a polyalphabetically encrypted text is determined 
sufficiently reliably, and by building a depth can be reduced to solving d 
monoalphabetic encryptions, one can try to reduce the accompanying alpha¬ 
bets—if possible—to a primary alphabet. In case of VIGENERE encryption, 
an exhaustion of all accompanying standard alphabets by matching profiles 
(Sect. 18.1) is easy enough. The same aligning can be done in the case of 
ALBERTI encryption, if one of the standard alphabets is known or has 
been found out (Sect. 18.2). In general, however, a mutual aligning of all 
alphabets (Sect. 18.3) is needed to reconstruct the unknown primary alpha¬ 
bet (Sect. 18.4). For this purpose, a Kullback examination will work wonders. 
The case of unknown unrelated alphabets, where each one is to be determined 
by itself, cannot be treated this way. 

18.1 Matching the Profile 

In view of the wide acceptance VIGENERE encryption has found, it may 
often be worthwhile to try this entry, which does not need much effort. Thus, 
if d is the period, d profiles are to be plotted. The strip method for ex¬ 
haustion (Chapter 12) and pattern finding (Chapter 13) for the individual 
monoalphabetic CAESAR additions do not work, since the texts are torn to 
pieces (German zerrissen). 

20001023063330000061525024 

ABCDEFGHI JKLMNOPQRSTUVWXYZ 

Fig. 148. Frequency distribution in the first column of the cryptotext of Sect. 17.4.3 


18.1.1 Using a depth. Thus, for the example of Myer’s text (Sect. 17.4.3) 
we recommend building a depth and counting the frequencies for each of the 
six columns. For the first column, i.e., for the subtext consisting of the 1st, 
7th, 13th, ... characters, the result can be seen in Figure 148. Even without 
plotting, the English profile is immediately recognizable: NOPQR is the v- 
w-x-y-z lowland, to its left JKLM is the r-s-t-u ridge. Then DEFGH is at 
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the right distance to be the 1-m-n-o ridge, which does not show clearly. But 
the cryptanalyst has to be prepared for such fluctuations, in particular if the 
depth is not large. This remark applies also to the observation that W does 
not have the frequency one would expect for the e-peak. 

With S'. S = a the first column is aligned, and it can be expected that 
the whole is a VIGENERE system. The first key letter S is found. With the 
other columns a similar procedure is carried through, to give us step by step 
the key 

SIGNAL , 

which is confirmed by subsequent decryption of the whole cryptotext. With 
fragments leading to causal repetitions underlined, the plaintext is 
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Now we can even see how the causal repetitions were accomplished: the Ion- 
gest, LEEBMMTG, originates from a repeated combination of /frequent/ with 
GNALSIGN-, another one, ZUDLJK, from a repeated combination of /mustbe/ 
with NALSIG. CSSVMRS comes from /changes/ with ALSIGNA. Strangely, 
the repeated occurrence of /cipher/ in the plaintext did not lead to a repe¬ 
tition. SEZM, GHP, ZMX, GEE are caused by /sthe/, /the/, /her/, /are/ 
meeting ALSI , NAL, SIG, GNA . YVGYS and STY are accidental repetitions. 


18.1.2 Plotting the profiles. In the case of relatively long keys the depth 
is small, and it may be difficult to recognize frequency differences. Then 
there is still the simple possibility of a graphical plot. For the cryptotext of 
G. W. Kulp (Fig. 130) the preparatory work of forming the columns for d = 12 
was already done in Sect. 17.4, and the alignment can immediately follow 
the Kullback examination of the period. From Fig. 144 the twelve profiles 
in Fig. 149 are derived. In Fig. 150 they are aligned to match somewhat the 
frequency profile of English. The trial was successful here, too. 

The 11th column is misleading: /e/, the most frequent character, does not 
occur. Quite generally it can be said that in case of small sets of characters 



352 18 Alignment of Accompanying Alphabets 


1 st column 


2 nd column 


3rd column 


4th column 


5th column 


6 th column 


7th column 


8 th column 


9th column 


10 th column 


11 th column 


12 th column 


Standard 


1 , 

, 1 . 1 , . 

1. . 

II.. 

. 1 .. 

. 1 . 

1 1 

1 1 1 1 1 1 1 

1 ill 

1 

.1 1 . 

II 

1 1 

1 .. 

. 11.. 

1 . 

, . 1 . 1 

1 11 

1. 

.. 1.1. 

1 1 

1 . 

. . 1 . 

1 I 

1 

1. 1.1. 

, ,1 

1 1 

. 1 .. 

,,l 

1 1 

. .. 1 .1 

, , 1 

1 ■ 1 1 

1 ■ 11_ 1111. II 

1 ■ 1 1 


ABCDEFGHI J KL MNOPQRS TUVWX Y Z 


Fig. 149. Profiles for the cryptotext of G. W. Kulp 



N = a 


I = a 


T = a 


E = a 


D = a 


S = a 


T = a 


A = a 


T = a 


E = a 


S = a 


Standard 
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it is preferable to align first the rare characters, particularly the rarest ones, 
the missing ones. Then some of the /e/—the ones in the third, fourth, fifth, 
ninth and tenth column—give a good clue. 

In this way, it turns out that the plaintext /a/ corresponds in the first alpha¬ 
bet to U, in the second alphabet N, in the third alphabet I, in the fourth, 
eighth and tenth alphabets T, in the fifth and eleventh alphabets E, in the 
sixth alphabet D, in the seventh and twelfth alphabets S . In the ninth alpha¬ 
bet A corresponds to plaintext /a/, therefore this substitution is the identity. 
To suppress it in the case of a VIGENERE would be a technical error, since 
this would open the possibility of a non-coincidence attack (Sect. 14.1). 

The alignment is certainly facilitated here by the fact that one alphabet 
occurs three times. The repeated occurence of a letter in the key (here 
T three times, E and S two times) is a technical error, too and should be 
avoided by all means. 

The key word is now revealed as 

UNITEDSTATES . 

This makes sense in the circumstances of Philadelphia in 1840. In the sense of 
Rohrbach’s maxim, the decryption, with the key period d= 12 , is completely 
convincing. Thus, Edgar Allen Poe was a little bit unfair in saying the text 
was an imposition. For the curious, the decrypted text is given in Fig. 151. 
The decryption was successfully done in 1975 and published by Brian J. 
Winkel in Martin Gardner’s column in Scientific American, August 1977. 
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Fig. 151. Plaintext of the Kulp message, as solved by Mark Lyster and Brian J. Winkel 


18.2 Aligning Against Known Alphabet 

Aligning the alphabets with the naked eye may seem difficult in Fig. 149 , say 
with the first or with the eighth column. 

18.2.1 Using Chi. Computational means turn out to be a sharper instru¬ 
ment. A natural idea is to determine the alignment shift by calculating the 
Chi between the frequencies of the alphabet in question and the primary al¬ 
phabet. This is shown in Figure 152 for the unshifted standard alphabet and 
in Figure 153 for the suitably shifted alphabet with /a/ corresponding to U. 

In the first case (a = A) the value 64.81/16 %= 4.05% results for Chi ; in the 
second case (a = u) the markedly larger value 86.03/16 % = 5.38%. 
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0110002011010 
ABCDEFGHI JKLM 
8.04 1.54 3.06 3.99 12 . 512.30 1.96 5.49 7.26 0.16 0.67 4.14 2.53 

abcdef ghi j kl m 

3000030001110 
NOPQRS TUVWXYZ 
7.09 7.60 2.00 0.11 6.12 6.54 9.25 2.71 0.99 1.92 0.19 1.73 0.09 
nopqr s t uvwxyz 




20.08 


A 


44.73 


64.81 


Fig. 152. Chi for standard alphabet against first column 


0011100110002 
UVWXYZ ABCDEF G 
8.04 1.54 3.06 3.99 12 . 512.30 1.96 5.49 7.26 0.16 0.67 4.14 2.53 
abcdef ghi j kl m 

0110103000030 
HI J KLMNOPQRS T 
7.09 7.60 2.00 0.11 6.12 6.54 9.25 2.71 0.99 1.92 0.19 1.73 0.09 
nopqr s t uvwxyz 




37.37 


>1 


48.66 


86.03 


Fig. 153. Chi for standard alphabet against first column, shifted a = U 


Table 21 lists the Chi values for all shifts. It turns out that besides a = U 
also a = J and a = F are distinguished. These three choices need further, 
exhaustive treatment, a = M results in the smallest value of Chi. 

This shows that a periodic VIGENERE system can be decrypted mechani¬ 
cally under reasonably fortunate circumstances. For a text as long as that in 
the case Kulp vs. Poe this is not only successful, but also feasible with the 
support of a personal computer. 

18.2.2 Strip method. The basic idea of aligning against a primary 
alphabet—in case of a VIGENERE system the standard alphabet, in case 
of an ALBERTI system a mixed alphabet fallen into unauthorized hands— 
albeit without calculation of the Chi, is found rather early in the literature. A 
common version uses strips as in Sect. 12.8.1 for the primary alphabet, with 
the most frequent characters (in English the nine characters etaonirsh) 
printed in boldface or in red color -in mechanical solutions in the Second 
World War (Ernst Witt, Hans Rohrbach) using semitranslucent paper—and 
with the rarest characters (in English the five characters jkqxz) missing. 
Using a column of the cryptotext as line, the corresponding plaintext—which 
is torn, however—is to be found in some other line, and it is plausible to take 
a line with a maximum of boldface characters, provided that line has no 
or only a few missing characters. This is shown in Figure 154 for the first 
column 

GIYLBNSNJWXCSNSG 

of the example of G. W. Kulp, Fig. 144. The line marked by a = U clearly 
stands out. The line marked by a = F has two boldface characters more, 
but also one rare letter. As indicated by the values in Table 21, the problem 
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Alignment 

Chi 

a = A 

4.05% 

a = B 

3.54% 

a = C 

3.70% 

a = D 

2.64% 

a = E 

4.38% 

a = F 

5.54% 

a = G 

4.07% 

a = H 

2.97% 

a = I 

2.98% 

a = J 

5.13% 

a = K 

4.43% 

a = L 

3.60% 

a = M 

1.72% 

a = N 

4.30% 

a = O 

4.85% 

a = P 

4.11% 

a = Q 

3.01% 

a = R 

2.77% 

a = S 

4.71% 

a = T 

3.59% 

a = U 

5.38% 

a = V 

3.71% 

a = W 

3.37% 

a = X 

2.65% 

a = Y 

4.18% 

a = z 

4.62% 


Table 21. 

Calculated values of Chi 

for standard alphabet against first column 


emerges of deciding between these two keys U and F for the first column. 
The remaining lines, e.g., a = J, are inferior, a = M shows the worst case. 

18.2.3 Additional help. As soon as the shift is determined for a second 
column, too, we can hope that bigram frequencies will help in such decisions, 
in our case between the competing keys U and F . The determination of the 
individual key letters is thus mutually supporting. 

18.2.4 Slide method. A related method uses a slide or a disk, corre¬ 
sponding exactly to the original, carrying the standard alphabet or a mixed 
alphabet fallen into unauthorized hands. The most frequent letters on the 
plaintext side are again specially marked, say in boldface type, and the rarest 
ones omitted. On the cryptotext side, the observed frequencies are marked, 
say by strokes. For the letters of the column GIYLBNSNJWXCSNSG, 
the frequencies are marked as follows (Fig. 155): 

abcdefGhTjklmNopqrItuvwxyz 
Then the two slides or disks are moved against each other until the ‘boldest’ 
confrontation is found. Clearly, this is only a variant of the method above. 
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, = A 


a = U 


a = M 

a = J 

a = F 


Fig. 154. 

Strip method: 
Search for the 
‘boldest’ line 
(for first column 
in Fig. 144) 


18.2.5 Reach of the method. This principle of ‘controlled exhaus¬ 
tion’ can be used in all cases where it is known how to obtain from a primary 
substitution all other substitutions, among others also in case of ROTOR 
encryption steps. A depth of at least 6 -9 is aimed at, i.e., normally 6-9 
cryptotext letters per key letter are required for success. 

In other words, to prevent this attack, the plaintext should not be longer 
than six times the key length. 
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Fig. 155. Slide for decryption of a column of torn text 
a = U: a good match a = F: a good match, too a = M: a bad match 

Moreover, the method can also be used for polyalphabetic encryption with 
arbitrary unrelated alphabets that have fallen into unauthorized hands—say 
a whole cylinder M-94 or a whole strip device CSP 642, or that have already 
been grouped in families (Sect. 14.3.6). Then no more is needed than to test 
a column of the torn plaintext against every single alphabet. Again, use of a 
personal computer will be sufficient. 

However, the depth of the columns will frequently be too short to succeed 
with this method. Normally, at least 40 or 50 cryptotext letters per key letter 
will be required for success. 

18.3 Chi Test: Mutual Alignment 
of Accompanying Alphabets 

If the primary alphabet is not known, it is still possible to align mutually the 
individual accompanying alphabets and again to replace the polyalphabeti- 
cally encrypted cryptotext by a monoalphabetically encrypted intermediary 
cryptotext, which can be treated with the methods of Chapters 12-15. This 
procedure is also useful if the primary alphabet is the standard alphabet, but 
this fact has not been recognized, say because the cryptotext is rather short. 

11 8 12 9 12 8 3 4 10 21 5 7 19 9 20 10 8 20 12 4 8 15 22 13 7 26 

ABCDEFGH I J ICLMNOPQRS TUVWXYZ 

Fig. 156. Frequency distribution in the cryptotext of Sect. 18.3.1 

18.3.1 Example. The following cryptotext (Abraham Sinkov 1968) of 303 
characters has a well-balanced frequency distribution shown in Figure 156, 
which does not suggest monoalphabetic encryption. 

S WW J R GPRDN FMWJE X EWG R Z J Q D N VJZRV 
SZXOJ VWWRO VBHRM MOFDL IPAXV EZWUT 


CZOZA AQQJL UPKZZ XUMJA P C Z O E BAWZR 
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ZYKZ I 

POFOL 

UOCRE 

NYKRI 

C AMO X 

I O O R R_ 

Z J K O L 

VWW J N 

VPKZA 

A F O C A 

M Z OMR 

C J Z D Y 

E J X E L 

XRFQI 

Z J C M A 

R J VW I 

D S WZ X 

ASOTR 

B J B Z O 

Q P XM I 

P D J V Z 

Z XHGQ 

S Z F D Q 

F J Z J R 

BMW I C 

E Z MW L 

ME C V Y 

VWZ O X 

TWH S R 

U U BMT 

N S J DW 

S S O OW 

C U N J Y 

V J EW I 

P P F S L 

MOQV Y 

C VWR I 

S MM H W 

XM E J Y 

N U Z M V 

MXWC R 

N B RD E 


S N B 

The value of Phi is 4.58% and confirms the conjecture. There are nine 
repetitions of length 3, but no longer ones, and the distances are: 


WWJ 

125 = 5 • 5 • 5 

RZJ 

100 = 2 • 2 • 5 • 5 

JVW 

132 = 2 • 2 • 3 • 11 

VWW 

90 = 2 • 3 • 3 • 5 

CZO 

21 = 3 • 7 

ZAA 

70 = 2 • 5 • 7 

PKZ 

60 = 2 • 2 • 3 • 5 

ZZX 

121 =11-11 

CAM 

28 = 2 • 2 • 7 . 


The Kasiski examination is unable to differentiate between the two possible 
periods 5 and 7. However, this can be done with a Kullback examination. 
Writing a depth in 7 columns yields the low value PhA 7 ' > = 4.44%, while for 
a depth in 5 columns the calculation of the values of <j) p as shown in Figure 157 
yields P/ij( 5 )=5-(196+236+258+262+240)/(303-302)=6.51%, a much higher 
value in the expected range. Since also the frequencies are rather unbalan¬ 
ced, each column could indeed be monoalphabetically encrypted. However, 
none of the columns seems to have a frequency distribution with a shifted 
profile belonging to English, German, or French, as a glance ahead at Figure 
158 shows. Thus, not a VIGENERE system, but more generally an ALBERTI 
system seems likely, and we have to determine its primary mixed alphabet. 
Fig. 158 presents the profiles for the five columns, intuitively aligned. 

18.3.2 Obtaining an intermediary cryptotext. If the text were ten 
times as long, we could treat every column separately and in the end perhaps 
be surprised to find that all the alphabets have a common primary alpha¬ 
bet. But with 61 or 60 characters in a column, the text basis is too small 
to do this. Therefore, we can only hope that under the assumption of an 
ALBERTI system the five alphabets can be mutually aligned such that a 
monoalphabetically encrypted intermediary cryptotext of 303 characters is 
obtained, enough to use standard methods. 
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Fig. 157. Frequency distribution for five columns and values of (f>p 


1st column I I—L.—I I .-1-1—I-1 . .-.—I-1-L_ 

ABCDEFGHI J KLMNOPQRS TUVWX Y Z 

2nd column I I I I I ■ ■ I ■ I ■ I I ■ ■ I I ■ I 

XYZABCDEFGHIJKLMNOPQRSTUVW 

3rd column J L.I I I . I I . I I lJ I I 

KLMNOPQRS TUV WX YZABCDEFGHI J 

4th column —I—I ■ ■ I I—■-1-1—I—■-1 ■ ■ l-1-1-■ 

R S TUV WX YZABCDEFGHI J KLMNOPQ 

5th column —I—I I l I-■-1-1—■-1 ■ I l-1-1-L 

WX YZABCDEFGHI J KLMNOPQRS TUV 
Fig. 158. Profiles for five columns, intuitively aligned 


To obtain the mutual alignment of the z-th and the fc-th columns, Chi is 
calculated for the z-th column, shifted cyclically by q positions, and the k -th 
column, for q = 0 ... TV—1. Normally, in this sequence all the values fluctuate 
around k# with one exception, which should be in the neighborhood of ks, 
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and the corresponding q giving the alignment shift. Table 22 shows this for 
the first and second column, with the resulting alignment A^=X^ 2 \ This 
confirms the alignment of the profiles for the 1st and the 2nd column in 
Fig. 158. 

Alignment Chi 

A<A)=A^ 157/61 2 = 4.22% 

A(i)=B(2) 133/61 2 = 3.57% 

A(i)=C( 2 ) 162/61 2 = 4.35% 

A(i)=£>(2) 122/61 2 = 3.28% 

A(i)=£( 2 ) 144/61 2 = 3.87% 

A(i)=F(2) 138/61 2 = 3.71% 

A(i)=G(2) 102/61 2 = 2.74% 

A(i)=i?(2) 170/61 2 = 4.57% 

A(i)=/(2) 119/61 2 = 3.20% 

AA)=jC) 126/61 2 = 3.39% 

A(i)=Ar( 2 ) 188/61 2 = 5.05% 

AA)=lC) 83/61 2 = 2.23% 

A«=M(2) 160/61 2 = 4.30% 

A(i)=AT(2) 133/61 2 = 3.57% 

AO^oW 165/61 2 = 4.43% 

A(1)=P(2) 137/61 2 = 3.68% 

AA)±qC) 106/61 2 = 2.85% 

Ai 1 )=i?(2) 172/61 2 = 4.62% 

A( 1 )=S'(2) 130/61 2 = 3.49% 

A(i)=T(2) 123/61 2 = 3.31% 

AC)=U^ 190/61 2 = 5.11% 

A(i)=y(2) 132/61 2 = 3.55% 

A(i)=1F( 2 ) 148/61 2 = 3.98% 

A ( i)=x(2) 236/61 2 = 6.34% 

A(i)=y(2) 91/61 2 = 2.45% 

A^=Z^ 154/61 2 = 4.14% 

Abraham Sinkov indicates different alignment strategies: a chaining one with 
an alignment of the 2nd column against the 1st, the 3rd column against the 
2nd, the 4th column against the 3rd, the 5th column against the 4th, and 
so on, possibly cyclically closed; a starlike one with an alignment of the 
2nd column against the 1st, the 3rd column against the 1st, the 4th column 
against the 1st, the 5th column against the 1st, and so on. The chain has the 
disadvantage that the results cannot be better than the effect of the weakest 
alignment in the chain. The star has the disadvantage that the common 
reference may be ill-chosen. In general, bypasses are sometimes necessary. 

A weak alignment occurs if more than one value of Chi is raised above the 
background. This happens in our example for the calculation of Chi between 


Table 22. 

Calculated values of Chi 
for first column 
against second column 
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the 3rd and the 4th column. As Table 23 shows, there is almost no difference 
between A^=HA) and A/ 3 )=j\d 4 ). It is possible to follow up several cases, 
and also possible to bypass weak alignments. In our example it turns out 
that the chain as well as the star work well with the alignment A^=HA ). 


This in the end gives the alignment shown in 

Figure 158. 

Alignment 

Chi 


A^=A ( 4 ) 

187/61-60 = 5.11% 


A(3) = R(4) 

86/61-60 = 2.35% 


A(3) = C'(4) 

148/61-60 = 4.04% 


A(3) = D ( 4) 

164/61-60 = 4.48% 


a(3)=f;(4) 

165/61-60 = 4.51% 


^(3)^p(4) 

117/61-60 = 3.20% 


A( 3 ) = G(4) 

82/61-60 = 2.24% 


A(3)=ij(4) 

231/61-60 = 6.31% <— 


^(3)^J(4) 

122/61-60 = 3.33% 


A(3) = J(4) 

110/61-60 = 3.01% 


A(3)=A(4) 

143/61-60 = 3.91% 


A<3)=L(4) 

109/61-60 = 2.98% 


A( 3 ) = Af(4) 

150/61-60 = 4.10% 


A(3)=A(4) 

229/61-60 = 6.26% *— 


A(3) = 0(4) 

53/61-60 = 1.45% 


^(3)^p(4) 

180/61-60 = 4.92% 


A(3) = Q(4) 

146/61-60 = 3.99% 


A ( 3)=p(4) 

103/61-60 = 2.77% 


A( 3 )=5(4) 

204/61-60 = 5.57% 


A ( 3)-^p(4) 

108/61-60 = 2.95% 


A(3) = [/(4) 

126/61-60 = 3.44% 


A(3) = I/(4) 

190/61-60 = 5.19% 


a( 3 )=w (4) 

114/61-60 = 3.11% 


A(3)=X(4) 

124/61-60 = 3.39% 

Table 23. 

Calculated values of Chi 

A (3)±yA) 

145/61-60 = 3.96% 

for third column 

A(3) = Z(4) 

124/61-60 = 3.39% 

against fourth column 


Thus, the example shows how a periodic ALBERTI encryption under reason¬ 
ably fortunate circumstances can be reduced mechanically to an intermediary 
cryptotext which is most likely monoalphabetically encrypted. In this exam¬ 
ple from Sinkov, 60 cryptotext letters per key letter were more than sufficient. 
The support obtainable from a personal computer is enough. 

18.3.3 A side result. In Figure 158 it may be noticed that the letters, 
read vertically, which produce AXKRW, BYLSX, CZMTY, DANUZ and so on, 
give among others ROBIN . This is presumably the 5-letter key word. We 
shall come back to this observation in Sect. 18.4. 
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18.4 Reconstruction of the Primary Alphabet 

The monoalphabetically encrypted intermediary text is produced by system¬ 
atic change of letters, as suggested by Fig. 158: the fragment SWWJR is trea¬ 
ted as follows: 

SWWJR = S (1) W (2) W (3) J (4) R (5) = S (1) Z (1) M (1) S (1) V (1) = SZMSV (1) 
Altogether there is the following intermediary cryptotext, expressed in the 
alphabet (1) of the first column: 


(1) S ZM S V 

G S HMR 

F PM S I 

X HMP V 

Z MGMR 

VMP A Z 

S C N X N 

V Z M A S 

V E X A Q 

M R V M P 

I S QG Z 

E CMD X 

C C E I E 

A T G S P 

USAID 

XX C S E 

P F P X I 

B DM I V 

Z B A I M 

P R V X P 

U R S A I 

N B A AM 

C D C X B 

I R E A V 

Z M A X P 

V Z M S R 

V S A I E 

A I E L E 

MC E V V 

CMPM C 

EMN N P 

X U V Z M 

Z M S V E 

R M L F M 

D VM I B 

A V E C V 

BMR I S 

Q S N VM 

P G Z E D 

Z AX P U 

S C VMU 

FMP S V 

B PMRG 

E C C F P 

MH S E C 

V Z P X B 

T Z X B V 

U X R V X 

N V Z MA 

S V E X A 

C X D S C 

VMU FM 

P S V B P 

MRG E C 

C YM AM 

S Q R 

S P C Q A 

X P U S C 

N X P V Z 

M AM L V 

N E HM I 


Its frequency distribution with respect to the alphabet ' 1 is 

20 10 21 7 19 6 7 4 14 0 0 3 40 9 0 23 5 13 24 2 8 31 0 20 1 16 

ABCDEFGHI JKLMNOPQRSTUVWXYZ 


An entry is obviously 

M (1) = e , v (1) = t , S (1) = a . 

From the frequently occurring trigram VZM = tZe one obtains 
Z (1) = h . 

Working freestyle, one can from the occurrence of /heat/ tentatively con¬ 
jecture that /temperature/ occurs, indeed the repetition 
VMUFMPSVBPM= teUFePatBPe occurring towards the end of the seventh 
line and again in the ninth has the requested pattern. This gives already 
ljW= m , Fh)= p , pl 1 )^ r , Bh)= u . 

At the beginning of the fifth line there is 
VZMAXPVZMSRV = theAXrtheaRt = thenortheast . Thus 
A (1) = n , X (1) = o , R (1) = s . 

The decryption now moves to a gallop, since etaonrsh and some rare 
letters are already determined: from the fragmentary decryption 


a h e 

a 

t 

G 

a H 

e 

s 

P 

r 

e 

a 

i 

o 

H 

e r t 
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h e 

n 

a 

t 

E 

o 

n 

Q 

e 

s 

ter 

I a Q G h 

E C 

e 

D 

o 

C C E 

I 
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C a E 
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e 

I 

t 

h u n 

I 

e 

r 

s t 

o 
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C D C o u 

I s 

E 

n 

t 
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o 
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t 
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a 
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I 

E L E 

e C E t t 

C e 

r 

e 

C 
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EeNNr omthe heatE seLpe Dtelu ntECt 
uesla QaNte rGhED hnorm aCtem perat 

uresG ECCpr eHaEC throu Thout mosto 

Nthen atEon CoDaC tempe ratur esGEC 

CYene arCQn ormaC North eneLt NEHel 
a Q s 

one deduces step by step 

G (1 )= w , v , lW= cl , C (1) = 1 , nW = f , E (1 ) = i , 

Q (1) = y , D (1) = C , T (1) = g , L (1) = X , Y (1) = b , 
and ends up with a plaintext that obviously makes sense: 


a 
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At that moment the primary alphabet is reconstructed up to an arbitrary 
shift. Nothing is known about /j/, /k/, /q/, /z/ , which do not show up. 
The decryption determined so far reads for the first and the second column 

ABCDEFGHI JKLMNOPQRSTUVWXYZ 

(1) nul ci pwvcl**xef *rysagmt * o b h 

(2) ci pwvcl**xef *rysagmt * o b h n u 1 
Assuming that ROBIN (see 18.3.3) indeed was the key word, the lines for 
the key letters R and O in a ‘tabula recta’ would be obtained by cyclic shifts 

R RS TUVWXYZ ABCDEFGHI J KLMNOPQ 

O OPQRSTUVWXYZABCDEFGHI JKLMN 
with the headline of the ‘tabula recta’ shifted accordingly 

sagmt*obhnul ci pwvd**xef * r y . 
Now even the ‘second’ key, the password for the construction of the alphabet, 
becomes transparent: if the alphabet sequence is written in five columns 
solve 
a b c d f 

g h i * * 

m n p * r 

t u w x y 

* 

the password /solve/ suddenly appears. The primary alphabet is con¬ 
structed according to the method discussed in Sect. 3.2.5. In this way, we 
can even complete the alphabet: 
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solve 
a b c d f 

g h i j k 

m n p q r 

t u w x y 

z 

Correspondingly, the completed headline is 

sagmtzobhnul ci pwvclj qxefkry . 

With this result, the decryption is perfect in the sense of Rohrbach’s maxim. 
Causal repetitions (see 18.3.1) are RZJ and VWW, which both become /the/; 
PKZ is decrypted /and/ ; WWJ is /hea/ in hea(t) and in (nort)hea(st) , ZAA 
is /din/ in (colli)din(g) and in (an)d_in . The quite unlikely occurrence of 
the four accidental repetitions JVW, CZO, ZZX, CAM is confirmed; they have 
distances 2 • 2 • 3 • 11, 3 • 7, 11 • 11, 2 • 2 • 7, all missing the factor 5 . 

18.5 Kerckhoffs’ Symmetry of Position 

In Sect. 18.4, for methodical reasons, a free-style frequency analysis was per¬ 
formed. Frequently, there are clues for probable words leading to a pattern 
analysis, which may also give decryption of rare characters in some of the ac¬ 
companying alphabets. In 1883, Auguste Kerckhoffs detected that it is pos¬ 
sible in suitable cases to infer from such a decryption of characters of some col¬ 
umn the decryption of characters of some other, separate column. He called 
the corresponding property of the accompanying alphabets, based (Chap¬ 
ter 5) on the commutativity of addition in , symetrie de position (sym¬ 
metry of position). The method, generally known under Kerckhoffs’ name, 
is explained in the following using an original example from Kerckhoffs. 

18.5.1 Example. Let the cryptotext of 150 characters be 

RBNBJ JHGTS PTABG JXZBG JICEM QAMUW 

I V G A G N E I MW REZKZ SUABR RBPBJ CGYBG 

JJMHE NPMUZ CHGWO UDCKO JKKBC PVPMJ 

NPGKW PWADW CPBVM RBZBH JWZDN MEUAO 

JFBMN KEXHZ AWMWK AQMTG LVGHC QBMWE 

and assume that a Kasiski examination of the bigram repetitions RB, BJ, 
BG, RE, MJ, PQ has raised suspicion of a polyalphabetic encryption of pe¬ 
riod 5, possibly with accompanying shifted alphabets. As mots probables 
of the telegram dated from September 2, 1882 and sent from London to the 
Agence Havas in Le Caire (Cairo) are listed Arabie, Wolseley 1 , Suez, Ismailia, 
canal , general, soldats. Kerckhoffs first makes a frequency analysis of the five 
columns and finds that in the first column e , in the second and fourth 

b( 2 )= B^ 4 )= e , in the third M^ 3 )= e , in the fifth Z^ 5 ) = e is a reasonable 
guess. This gives him a partial decryption 


1 Lord Garnet J. Wolseley, Commander-in-Chief of the British Army. 
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RBNBJ JHGTS PTABG JXZBG JICEM QAMUW 

* e * e * e * * * * * * * e * e * * e * e * * * * * * e * * 


and he tries in the circumstances the hypothesis that this should be completed 
to le general Wolseley . This gives an entry 

RBNBJ JHGTS PTABG JXZBG JICEM QAMUW 

legen eralw olsel e y * e * e * * * * * * e * * 

Thus G*- 5 )= 1 ; then he tries a continuation with telegraphie: 

RBNBJ JHGTS PTABG JXZBG JICEM QAMUW 

legen eralw olsel eytel egrap hie** 


This is the prehistory; the specific method starts here. So far we have 


a b c cl e f g h i j k 1 m n o p q r 

P 


(1) 


J Q 

R 

(2) 


B I A 

T 

(3) 

G 

M N 


(4) 

E 

B 

T 

(5) 


Z 

G 


M 


s t u v w x 


H 

C A Z 


y z 

X 


The symmetry of position is now introduced: To start with, lines (2) and 
(4) must be identical (because of B^= B^ 4 ^= e, T^ 2 ) = t^ 4 ^= 1), which when 
supplemented gives 

abcclef ghi j k 1 mnopqr s t uvwxyz 

(2) E B I A T H X 

(4) E B I A T H X 

Since J occurs in lines (1) and (5) and J^)= e , J^ 5 -*= n = e + 9 we conclude 
that the whole line (5) is shifted against the line (1) by nine positions to the 
right. This gives a determination of eight cryptotext characters: 

abcdefghi j k 1 mnopqr st uvwxyz 

(1) GJMQ RSP Z 

(5) Z GJMQ RSP 

But line (3) and line (5) are also connected, among others by M^ 3 )= e , 
m (5) = p = e +11. This leads to the following fixation of eleven cryptotext 
characters: 

abcdefghi j k 1 mnopqr st uvwxyz 

(1) GJMQN RSP CAZ 

(3) GJMQN RSP CAZ 

(5) CAZ GJMQN RSP 

Finally, line (2) and line (3) are connected by one letter, namely A: A^ 2 )= i 
and A^= s = i+ 11 . This now gives connections between all five alphabets 
and a fixation of seventeen cryptotext characters: 
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a 

b 

c 

cl 

e f 

g h 

i 

j 

k 

1 

m n 

0 

p q 

r 

S 

t 

u V 

w 

X 

y 

z 

(1) 



G 

H 

J 

M Q 

N 


X 

R 

E 

S 

p 

B 


I 

C 

A Z 


T 



(2) 

E 

s 

P 


B 

I C 

A 

Z 


T 




G 

H 

J 


M Q 

N 


X 

R 

(3) 

G 

H 

J 


M Q 

N 

X 

R 

E 

S 

P 


B 

I 

C 

A 

Z 

T 





(4) 

E 

S 

P 


B 

I C 

A 

Z 


T 




G 

H 

J 


M Q 

N 


X 

R 

(5) 


I 

C 

A 

Z 

T 




G 

H 

J 


M Q 

N 


X 

R E 

S 

P 


B 


Decryptions are still missing for the nine cryptotext characters D, F, K, L, 
O, U, V, W, Y . However, it can be expected that with 17 out of a total 
of 26 characters the further decryption is trifling. Indeed, the fragmentary 
decryption of the first three lines of the telegram 


RB N B J 

J HGT S 

P T A B G 

J X Z B G 

J I C EM 

Q AMU W 

1 e g e n 

e r a 1 w 

o 1 s e 1 

e y t e 1 

e g r a p 

hie** 

I VG AG 

N E I MW 

R E Z K Z 

S U ABR 

RB P B J 

C G Y B G 

s * a i 1 

i a q u * 

latte 

n * s e u 

1 e m e n 

t q * e 1 

J J MH E 

N PMU Z 

C H GWO 

UDCKO 

J KK B C 

P V PM J 

e s e r v 

i c e * e 

t r a * * 

* * r * * 

e * * e c 

o m m u n 


provides V, W with the probable word Ismailia. Obvious filling of gaps gives 
U, Y and if in the third line transports is recognized, then D, K, O are given. 
F and L both occur only once (in the fifth line of the telegram) and are 
harder. 

But there is already a better way to bring the decryption to an end: a 
password used in the formation of the alphabet has emerged and is obviously 
RESPUBLICA . Thus, the five alphabets used can be completed to give 

abcdef ghi j k 1 mnopqrstuvwxyz 

(1) DFGHJ KMQNOXRES PUBLI CAZYTVW 

(2) ESPUBLI CAZYTVWDFGHJ KMQNOXR 

(3) GHJ KMQNOXRES PUBLI CAZYTVWDF 

(4) ESPUBLI CAZYTVWDFGHJ KMQNOXR 

(5) LI CAZYTVWDFGHJ KMQNOXRES PUB 

In the completed column under plaintext /a/ appears DEGEL (French degel, 
thaw) as the key word, which makes sense. 

Finally, the whole encryption table ( tabula recta) is shown as Table 24. It 
remains open which line should be the first; following Kerckhoffs also here, 
we choose the line with the password at the end. If then the lines, i.e., the 
alphabets, are numbered from A to Z, the key word of length 5 is FRHRW. 
But the ‘true’ key DEGEL uses the column under plaintext /a/ . 

The plaintext reads: “Te general Wolseley telegraphie d’Ismailia qu’il attend 
seulement que le service de transports et de communication soit completement 
organise pour faire une nouvelle marche en v...”. 

Summarizing, the symetrie de position allows one “to extort more plaintext 
from a paucity of ciphertext” (David Kahn). 
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abcclef g h i j kl mnopqrstuvwxyz 
A Z Y T V WD FGHJ KMQNOXRES PUBLI CA 
B Y T V WD FGHJ KMQNOXRES PUBLI CAZ 
C TV WD FGHJ KMQNOXRES PUBLI CAZY 
D V WD FGHJ KMQNOXRES PUBLI CAZYT 
E WD FGHJ KMQNOXRES PUBLI CAZYTV 
F DFGHJKMQNOXRESPUBLICAZYTVW 
G FGHJKMQNOXRESPUBLICAZYTVWD 
H GHJ KMQNOXRES PUBLI CAZYTV WD F 
I HJ KMQNOXRES PUBLI CAZYTVWDFG 
J JKMQNOXRESPUBLICAZYTVWDFGH 
K KMQNOXRES PUBLI CAZYTV WD FGHJ 
L MQNOXRES PUBL I CAZYTV WD FGHJ K 
M QNOX RES PUBLI CAZYTVWD FGHJ KM 
N NOXRES PUBLI CAZYTVWD FGHJ KMQ 
O OXRESPUBLI CAZYTV WD FGHJ KMQN 
P X RES PUBLI CAZYTVWD FGHJ KMQNO 
Q RESPUBLI CAZYTV WD FGHJ KMQN OX 
R ESPUBLICAZYTVWDFGHJKMQNOXR 
S S PUBLI CAZYTVWD FGHJ KMQN OX RE 
T PUBLI CAZYTV WD FGHJ KMQNOXRES 
U UBLI CAZ Y T V WD FGHJ KMQNOXRES P 

V BLICAZYTVWDFGHJKMQNOXRESPU 
W LI CAZYTV WD FGHJ KMQNOXRES PUB 
X I C A Z Y T V WD FGHJ KMQNOXRES PUBL 

Y CAZYTV WD FGHJ KMQNOXRES PUBLI 
Z A Z Y T V WD FGHJ KMQNOXRES PUBLI C 

Tabic 24. Table of alphabets ( tabula recta ) for the example of Kerckhoffs 


18.5.2 Volapiik. The Fleming Auguste Kerckhoffs (the complete list of his 
given names is Jean-Guillaume-Hubert-Victor-Frangois-Alexandre-Auguste, 
his nobility name was von Nieuwenhof ) was born January 19, 1835 in Nuth 
in the duchy of Limburg (now in Belgium). He went to school near Aachen, 
studied after a stay in England at the university of Luik {Liege, Liittich), 
became a high school teacher in modern languages and worked as a trav¬ 
eling secretary, to find finally a position in Melun, south-east of Paris. He 
was somewhat eccentric as a teacher, but very active in learned societies. 
In 1873, he became a French citizen, and in 1873-1876 he studied at the 
universities of Bonn and Tubingen and became Docteur es lettres. In 1878 
he was given a chair for German Language at the Ecole des Hautes Etudes 
Commerciales and at the Ecole Arago in Paris. His first contribution to cryp¬ 
tology was in 1882, when he wrote—for unknown reasons— La cryptographic 
militaire. This 64-page article in the Journal des Sciences militaires, January 
and February 1883, and Kasiski’s work of 1863 are the foundation stones of 
scientific cryptology in the 19th century. 

However, for most people Kerckhoffs’ fame stems from his ardent and tragic 
support for the international, universal language Volapiik, proposed in 1879 
by Johann Martin Schleyer. Kerckhoffs was appointed in 1887 Dilekel (direc¬ 
tor) of the International Volapiik Academy. Like Esperanto (1887) and other 
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later proposals, Volapiik was unable to establish itself. Kerckhoffs lived long 
enough to see the decline of Volapiik and died broken-hearted in 1903. 

18.5.3 An example with a surprise. The symmetry of position is also 
useful in dealing with a VIGENERE system, of course. We shall show this 
for the cryptotext of G. W. Kulp (Fig. 130), first assuming only that it is an 
ALBERTI system, and that there are reasons to expect a period of 12. To 
begin with, we write a depth of 12 columns as in Fig. 144, 
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u 

K 







and start from the observation that /e/, /t/, and /a/, the three most frequent 
letters in English, have the following distances: t + 7 = a, a + 4 = e, as well 
as t + 11 = e. We now look for the most frequent cryptotext characters in 
the same column with these differences, 4 or 7 or 11. In fact, we find six 
triples : 


(3) 

(4) 

(6) 

(7) 

(10) 

(12) 

plain 

B 

M 

W 

L 

M 

L 

t 

I 

T 

D 

S 

T 

S 

a 

M 

X 

H 

W 

X 

W 

e 


This finding also suggests that the 4th and the 10th columns, as well as the 
7th and the 12th columns are subordinate to the same key. 

Using a systematic procedure we form for every column the pairwise differ¬ 
ences between the most frequent cryptotext characters and list those with 
the differences 4, 7, 11. There are more cases: 



(1) 

(2) 

(3) 

(4) 

(5) 

(6) 

(7) 

(8) 

(9) 

(10) 

(ii) 

(12) 

plain 

+7 

+4 

N 


B 

M 


W 

L 

M 


M 

X 

L 

t 


N 

I 

T 

E 

D 

S 


A 

T 

E 

S 

a 

Y 

R 

M 

X 

I 

H 

W 

X 

E 

X 


W 

e 

Shift 

0 

19 

u 

25 

10 

9 

H 

25 

6 

25 

10 

24 



This ‘difference method’ is only a variant of the symetrie de position. Note 
that the word UNITEDSTATES shines through in the middle line. The shifts 
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needed to align the columns with the first column are given in a footline. They 
produce a key; decryption with respect to this key reduces the cryptotext to 
a monoalphabetically encrypted intermediary cryptotext. Subtraction of the 
respective key letters gives the beginning of this text 


G 

L 

U 

F 

Y 

R 

U 

H 

X 

Y 

L 

B 

I 

Q 

c 

M 

C 

N 

N 

B 

u 

N 

N 

B 

Y 

G 

Y 

M 

M 

Y 

H 

A 

Y 

L 

U 

L 

L 

C 

P 

Y 

M 

B 

Y 

L 

Y 

U 

N 

N 


Further decryption by means of a frequency analysis offers no problems, and 
the intermediary encryption turns out to be a CAESAR addition—we did not 
use this at all—with U = a; decryption is performed by counting forward six 
places in the alphabet order. Equivalently, the key UNITEDSTATES may 
be used for the original, polyalphabetically encrypted text. The beginning of 


the plaintext 

is therefore (compare Sect. 18.1.2): 





m 

r 

a 

1 

e 

X 

a 

n 

d 

e 

r 

h 

o 

w 

i 

s 

i 

t 

t 

h 

a 

t 

t 

h 

e 

m 

e 

s 

s 

e 

n 

g 

e 

r 

a 

r 

r 

i 

V 

e 

s 

h 

e 

r 

e 

a 

t 

t 


The ‘difference method’ which sprang up here will again be found useful 
for stripping off superencrypted code in the next section, since it is totally 
free of frequency analysis. If in the symmetry of position method frequency 
considerations were included, one could guess that in the above triples the 
last line, which is more densely populated than the other two, corresponds 
to /e/ (the most frequent letter) and thus the first line to /t/ and the second 
line to /a/. Since /a/ is the zero element in Z 26 , this observation also clari¬ 
fies why the key word UNITEDSTATES shone through. (There are also 
‘wrong’ differences, e.g., in the third column M and X with difference +11). 

18.6 Stripping off Superencryption: 

Difference Method 

We resume the discussion of Sect. 18.3 . The (mutual) alignment of accompa¬ 
nying alphabets does not refer to the plaintext, which is regained only from 
the monoalphabetically encrypted theoretical intermediary text (Sect. 18.4). 
This reflects the fact that ALBERTI steps are compositions: monoalphabetic 
functional substitution, followed by polyalphabetic VIGENERE addition. 

18.6.1 A strip. Thus, the technique of Sects. 18.3, 18.5 is also applicable 
for superencrypted code, i.e., for a composition (Sect. 9.2.2) of coding and 
following VIGENERE over Z 26 (literal code) or Z 10 (numeral code). The 
latter case is called in English parlance ‘stripping off a numerical additive 
from enciphered code’, French libeller par soustraction de Vadditive, German 
Subtraktion einer Uberschliisselungszahl. Enciphered code is ‘encicode’ for 
short, and the code taken from the codebook is ‘plain code’ or ‘placode’ for 
short. 
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Assuming a certain width of the placode (normally known, e.g., 5) and a 
certain period, say 15, columns of equally superencrypted placode words 
(columns of encicode groups) are formed. Frequently occurring plaintext 
words or phrases lead to frequency differences in each column of encicode 
groups. If the material is voluminous enough, this may allow the calculation 
of the mutual Chi of two columns and thus help alignment, but frequently the 
material will not be rich enough to establish by mutual alignment a reference 
encicode. 

18.6.2 Again symmetry of position. But there is still the symetrie de 
position. Two encicode groups that are prominent in two columns belong to 
the same placode if and only if their difference equals the difference of the 
additives that belong to the columns. Note that differences, according to 
Shannon, are the ‘residue classes’ of linear polygraphic substitutions. 

To give an example, assume there are three columns and in each one are 
found three prominent encicode groups, 

( 1 ) ( 2 ) ( 3 ) 

47965 60597 27904 
69451 34689 41537 
11057 10056 26443 

If 47965 from the first and 60597 from the second column of enci¬ 
code groups belong to the same placode, then 11057 from the first and 
34689 from the second column of encicode groups belong also to one and the 
same placode, since 

47965 - 11057 = 60597 - 34689 = 36918 . 

To find such coincidences systematically, for each column of encicode groups 
all mutual differences are calculated, in our example a three-by-three matrix 
for each column of encicode groups (note that addition is done without carry): 

( 1 ) ( 2 ) ( 3 ) 

00000 88514 36918 00000 36918 50541 00000 86477 01561 

22596 00000 58404 74192 00000 24633 24633 00000 25194 

74192 52606 00000 50569 86477 00000 09549 85916 00000 

With this information, we also find relations between encicode groups in 
different columns: 

Within the first and within the second column, we have 
36918 = 47965 - 11057 = 60597 - 34689 ; 
therefore, between the first and the second columns, there is 

47965 - 60597 = 11057 - 34689 = 87478 . 

Within the second and within the third column, we have 
24633 = 34689 - 10056 = 41537 - 27904 ; 
therefore, between the second and the third columns, there is 

34689 - 41537 = 10056 - 27904 = 93152 . 
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Reducing the second column of encicode groups (2) relative to the first one 
(1) by adding everywhere in (2) the difference 87478 , and reducing the third 
column of encicode groups ( 3 ) relative to the first one (1) by adding every¬ 
where in ( 3 ) the difference 87478 (for ( 2 ) against (1)) and then the difference 
93152 (for ( 3 ) against (2)); altogether therefore the difference 70520 , we 
obtain: 

(!’) ( 2 ’) ( 3 ’) 

47965 47965 97424 

69451 11057 11057 

11057 97424 96963 

Shift 0 87478 70520 

The next step is to look in the first column of encicode groups for another 
occurrence—though more rare—of 97424, likewise in the (reduced) third col¬ 
umn of encicode groups for another occurrence—though more rare-of 47965; 
moreover for occurrences of 69451, 97424, 96963. With luck, further com¬ 
monly occurring placodes can be discovered. 

18.6.3 Use of machines. This procedure, although logically simple, re¬ 
quires cumbersome calculations and it is unsurprising that in the 1920s crypt¬ 
analysts sought mechanical support for the alignment. Punch card equipment 
was available and was suited for the task. Particularly in the Second World 
War, British (J. H. Tiltman, Sept. 1939), Americans (T. H. Dyer, R. J. Fabian, 
Nov. 1940), and Germans (H.-G. Krug) relied upon such help. 

Next, special devices were built. In the Cipher Branch of the German Ober- 
kommando der Wehrmacht (Armed Forces High Command), a Differenzenre- 
chenger&t was designed that processed encicode groups punched on tape with 
the help of mechanical scanners and relay circuitry. It provided seven differ¬ 
ences of five-digit groups per second and recorded the output on a typewriter, 
and was thus 10 to 15 times faster than a human calculator at top speed. 

In contrast to these digital methods, analog devices with photoelectric mea¬ 
surement for tetragrams were used to determine the most frequently occur¬ 
ring placodes, both in the Chi Branch of the OKW and in the Sonderdienst 
Dahlem unit of the German Foreign Ministry. For the reduction, i.e., the 
subtraction of a difference from a column of encicode groups with known 
relative basis, special optical analog devices were designed during WWII by 
the mathematician Ernst Witt (1911-1991). 

Less is known about special devices used by the Allies of the Second World 
War. The HEATH ROBINSON and COLOSSUS machines built in Bletchley 
Park handled binary additives, but were oriented mainly against teletype 
cipher machines like the Lorenz Schliisselzusatz SZ 42 (Sect. 19.2.6). In the 
USA, the COPPERHEAD machines of 1943, technologically on the level 
of HEATH ROBINSON, worked with optical scanning, too, and were used 
against Japanese superencrypted codes, finding the additives. A non-digital 
variant was ICKY, used for multigrams of long length, allowing both a l-of-26 
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and a 2-of-5 coding. Comparable, perhaps, with German developments was 
the TESSIE machine of 1942, a device built by the Eastman company for 
the US Navy, working with photoelectric measurement, which was used to 
find four-digit encicode groups needed for stripping off a superencryption. It 
was directed both against the Japanese high level fleet code and the German 
‘brief signals manual’ for U-boats that was used to flash location messages 
and tapped by the Allies for cribs. 

The Abwehr traffic with the ‘11-15-17’ ENIGMA G machine (Sect. 7.3.9) 
was normally broken by hand methods, but in extremely difficult cases ma¬ 
chines would be employed. While at Bletchley Park two special Bombes 
(FUNF, see Sect. 19.6.4) were used, the US Coast Guard preferred HYPO (see 
Sect. 17.3.4) and had plans for special attachments (‘multi-notched grenades’) 
to Bombes; however they were not made during the war. 

18.7 Decryption of Code 

At the very end, after stripping off the superencryption, there remains the 
decryption of the intermediary encicode, the reconstruction of the code book 
(‘book-building’). The intermediary encicode is shifted against the placode 
by a constant, but this is totally irrelevant for the work to be done, which 
is mainly linguistic in nature. Systematically, this work belongs rather in 
Chapter 15. It is much simplified if the code is a one-part code (Sect. 4.4.2); 
then a codegroup lying between two groups with already known plaintext 
equivalents has an in-between plaintext equivalent. At this point, imagina¬ 
tion and vision, association and combination find ample scope for application. 
Book-building is that part of cryptanalysis where mathematics alone is help¬ 
less. A systematic treatment of the linguistic side of cryptanalysis was first 
attempted (in 1892) by Paul Louis Eugene Valerio. 

18.8 Reconstruction of the Password 

The advantage offered by accompanying alphabets is that they result from a 
single primary alphabet. This can only help the hurried cryptographer if he 
can easily remember or construct the primary alphabet. For this purpose, 
passwords (Sect. 3.2.5) are very popular. Reconstructing them not only gives 
the unauthorized decryptor additional security but can also be used methodi¬ 
cally. The use of meaningful passwords therefore creates a weakness. 

18.8.1 Friedman. At first sight, what William F. Friedman presented in 
1917 looks like a conjurer’s trick: Let the primary alphabet be 

abcclef ghi j k 1 mnopqr s t uvwxyz 
NTUVPWXJ FYZDKQCABOGRLI SHME 
It turns out that it is monocyclic with the cycle 

(anqbtrocul clvi fwsgxhj ymkzep) 
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Now, starting from an arbitrary character, say /a/ , the substitution is 
iterated and the results are written down cyclically with distances of 1, of 3, 
of 5 ... : 


NQBTROCUL DVI 
N**Q**B**T** 

n ****q**** b * 

and so on. This gives altogether 

1 NQBTROCUL DVI 

3 NDJ QVYBI MTFK 

5 NKXI CQZHFUBE 

7 NGRYL EF QXOMD 

9 NTCDFGJ KPQRU 


F W S G X . . . 

R * * O * . . . 

* * * rp * 


FWS GXHJ YMKZ EPA 
RWZOS ECGPUXALH 
J WLTPYS DRAMGVO 
PWBHCKVAS TJ UZI 
VWXYZ ABOLI SHME 


and produces with the distance 9 a sequence that contains a meaningful pass¬ 
word: ABOLISHMENT . Now taking on the plaintext side the same sequence 
but shifted 9 places to the right, the following substitution is obtained: 

abol i shmentcdfgj kpqruvwxyz 
9 NTCDFGJ KPQRUVWXYZ ABOL I SHME 

Reordering yields the initial alphabet, whose construction from the key¬ 
word is now clarified: it is the ninth power of the cycle with the password 
abolishment: 

( abol i shment cdf gj kpqruvwxyz) 

The conjurer’s trick becomes better understood if one realizes that for ev¬ 
ery distance an alphabet is obtained, from which by reordering the initial 
alphabet is regained, e.g., for the distance 7: 

astj uzi ngryl efqxomdpwbhckv 
7 NGRYL EFQXOMDPWBHCKVAS TJ UZI 

although this one does not produce a meaningful password. Or with the 
distance 1 one obtains, of course, 

anqbtrocul clvi fwsgxhj ymkzep 
1 NQBTROCULDVI FWSGXHJ YMKZ EPA 

In fact, the third power of this alphabet reconstructs the password, since 
3 times 9 equals 1 modulo 26. 

18.8.2 Friedman again. William F. Friedman also gave in 1918 a process 
for the reconstruction of passwords in the very general case (Sect. 3.2.5) of an 
ALBERTI system with passwords both for the plaintext side and the cryp¬ 
totext side. We shall come back to this in Sect. 19.5.3. 






19 


Compromises 


The quality of a machine 
depends largely on its use. 

Boris Hagelin 

Among the cryptographic faults listed in Chapter 11, the compromises are 
worst, because they open methodical lines of attack. Next to the plaintext- 
cryptotext compromise, discussed in Sect. 14.6, we deal in this chapter first 
with plaintext-plaintext and then with cryptotext-cryptotext compromises. 

19.1 Kerckhoffs’ Superimposition 

Polyalphabetic encryption with periodic keytext, even with unknown and 
unrelated alphabets, provides no security against unauthorized decryption. 
Once the period is determined (Chapter 17), building of a depth (Sect. 17.5) 
leads to a monoalphabetically encrypted plaintext. However, the plaintext is 
torn, which makes the decryption of very short texts difficult or impossible 
(Sects. 18.2.5,18.3.2). 

But even if the key is not periodic or comparable in length to the plaintext, 
the methods of Chapter 18 can be applied whenever a number of plaintexts 
are encrypted with the same key. Provided the cryptotexts can be adjusted to 
be in phase with the keytext, this plaintext-plaintext compromise of the key 
likewise allows one to build a depth, i.e., to build columns of cryptocharacters 
or of encicode groups, each one consisting of monoalphabetically encrypted 
(but still torn) plaintext. Auguste Kerckhoffs also discussed this situation in 
his 1883 paper. The in-phase adjustment of several texts is called superim¬ 
position (German Uberlagerung). Superimposition will only work if plenty 
of plaintexts encrypted with the same key sequence are available and can be 
adjusted, but because of the logistic problems of key assignment, this is very 
likely if encryption machines are used which have the same or only slightly 
varying starting position of the (mechanically generated) key. In this way, 
John H. Tiltman 1 succeeded in breaking the older ENIGMA without plug¬ 
board (British codename ‘ rocket ’), used by the German Reichsbahn in the 
Second World War for the transmission of timetables for transport trains. 


1 “... he was charming and intelligent and though he looked military he certainly didn’t 
behave like a stuffed shirt.” (Robin Denniston) 
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It is evident that the periodic use of a not-too-long key, which leads to some 
repetitions, also means a plaintext-plaintext compromise—but since this was 
common practice, it was not called so. This observation has the consequence 
that all methods usable for the determination of a key period can also be 
used to test whether the different plaintexts are in phase, and if they are not, 
to adjust them. In this case, the Kappa test or the Chi test will be just right. 

19.1.1 Example. The following superimposition example given by Kerck- 
hoffs assumes that the plaintexts are in phase. With altogether 13 of them, 
it gives a conveniently simple exercise (typographic errors are corrected): 



1 2 3 4 5 

6 7 8 9 10 

11 12 13 14 15 

16 17 18 19 20 

21 22 23 24 25 

26 27 28 29 

(i) 

UHYBR 

J I MB C 

F AMM F 

J H DMR 

I Q 


(ii) 

U HWP R 

BQLKI 

B LWR E 

JRBKL 

H I X B Q 

E X HM 

(iii) 

I EWH C 

HQKQM 

TMVG J 

J E D Z V 

A 


(iv) 

UWVRR 

H I KMC 

WWRGH 

D C X S R 

QH 


(v) 

U H S H A 

HK S VC 

J WZ VX 

J Y N DM 

QQN 


(vi) 

Y H V HM 

AGQKC 

WX P V I 

H HWL Z 

V L T H V 


(vii) 

L H V H A 

A G R L P 

F M S O H 

I PWZ Z 

JELQR 

BW 

(viii) 

S WU I R 

X I C J U 

F S H GW 

R S Z B A 

A L 


(ix) 

UHWH V 

A YU L C 

JWOUK 

DEBKQ 



(*) 

YWX H Y 

H B A L G 

B V P S W 

I WW J R 

R H 


(xi) 

WQ REX 

B I E N H 

MV YMH 

S I YM 



(xii) 

S WU H D 

H P J J C 

KXGMH 

L 



(xiii) 

GQ VQR 

VOTQQ 

S PWR 





Kerckhoffs begins with the statement that frequency counts presumably give 
ff( 2 )=e, H^ = e, H^=e- and R^ = e, I^ = e, L^ = e, C^=e, 
and that because of the many coincidences the second, the fourth, and the 
sixth positions fall under the same key (wisely he does not assume U^ 1 ' 1 = e). 

Cryptotext (iv) would then be decrypted (iv) ****e ee***., which suggests 

looking for a word that ends with ee ; F armee would be suitable: 

(iv) larme ee***. Cryptotext (v) with (v) le*e* e****. suggests 

(v) legen eral*. Cryptotext (vi) suggests the hunch (vi) *ere* v****., 

this leaves a choice between (vi) serez vous*. or (vi) ferez vous*. 

Cryptotext (vii) with (vii) *eren vo*e*. is interpreted by Kerckhoffs 

somewhat convincingly as (vii) neren voyez. He then continues with the 

remaining cryptotexts. But he has already made an entry. 

Superimposition as a methodical idea is also suited for the case of unrelated 
alphabets. Provided that not too many different alphabets are used, say 
not more than two dozen in the case of monographic alphabets, and that the 
cryptotext is long enough that most of these alphabets are used at least a few 
times, then the effective depth of the material is correspondingly multiplied as 
soon as the identity of these alphabets is established. If the key is formulated 
in German, then on average every sixth key character is an E and thus every 
sixth alphabet is the same. In English, this holds for every eighth alphabet. 
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19.1.2 Symmetry of Position again. In the present case the further 
decryption would be cumbersome detailed work, had not Kerckhoffs made the 
assumption that we have accompanying alphabets which are simply shifted 
and thus the symetrie de position, the climax of his work (Sect. 18.5), can be 
used. Then everything goes like clockwork. Some of the decrypted messages 
are (the genre is French North Africa): 


(i) leprefetdepoliceestici 

(ii) lespertesdelennemisontgrandes 

(iii) onsemetsurladefensive 

(iv) larmeeestentreeaucaire 

(v) legeneralestaalexandrie 

(vi) serezvousenetatderesister 

(vii) nerenvoyezpaslesprisonniers 


‘ le prefet de police est ici ’ 

‘ les pertes de I’ennemi sont grandes’ 
‘ on se met sur la defensive ’ 

‘ l' armee est entree au Caire ’ 

‘ le general est a Alexandrie ’ 

‘ serez vous en etat de resister ’ 

‘ ne renvoyez pas les prisonniers ’ . 


It turns out that Kerckhoffs used the same ALBERTI steps as in Sect. 18.5.1. 
The key is periodic; it can be reconstructed with a Kerckhoffs encryption 
table (Table 24) from the longest text (ii) and runs thus 


JEMEMETSSURLADEFENSIVE\ JEMEMET ... 


19.2 Superimposition for Encryptions with a Key Group 

Under favorable circumstances even the extreme case of a superimposition of 
only two cryptotexts encrypted with the same key is not hopeless, provided 
the alphabets are known. This was outlined for the first time in 1918 by the 
great American cryptologist William Frederick Friedman. 

19.2.1 Pure encryption. We assume in this section that the cryptosystem 
is not only, as usual, injective and definal, i.e., for every encryption step 
Xs ■ there exists a decryption step xj 1 '■ —->- V^ : 

X7 1 (Xs(p))=P for all p€k (n) , 

but also that it is functional and surjective (Sect. 2.2.2, 2.6.2): 

y s (xj 1 (c)) = c for all ceW^ . 

Then = |IlA m )| . In this case, it is convenient to identify plaintext 

characters and cryptotext characters, thus n = m, V = W , and the endo¬ 
morphic case Xs : y n —>- V n is assumed. Thus, let M C V n x V n be the 
cryptosystem, |V| = N . M is the key space. 

The important assumption is now that the endomorphic cryptosystem M is 
pure (see Sects. 2.6.4, 9.1.1), i.e.,that it is closed under composition: The 
composition of two encryption steps Xs G M, Xt G M belongs to the set M 
of encryption steps: Xs(Xt(p)) = Xs»t(p ), whereby s • t is uniquely defined. 

The composition is associative: Xr»s(Xt(p )) = Xr(Xs»t(p)) ■ Since we have 
assumed that every encryption step x« £ Af has an inverse x7 1 G M , the 
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encryption steps build a group under composition, the key group M (see 
Sect. 9.1.1). Xs~ 1 {p) is defined by x7 1 {p)- 

Trivially, the key group can be a singleton M = {id}; or it can have N n 
elements, say M = {id, x, X 2 : X 3 > • ■ • X N -1 )}> where x is monocyclic; or it 
can have maximally ( N n )\ elements, M = V n - 4 —^ V n . 

Now let c' = (c' 1; c’ 2 , Cg,...) and c" = (c", c 2 , Cg,...) be isologs, two crypto¬ 
texts that are encryptions with the same key k = {k\. k 2 ,k 3 ,...) of the two 
plaintexts p' = {p'^p^p's, ■ ■ •) and p" = (p'{,P 2 ,p'i, ■■■)■ 

c i = Xkt (Pi) > c'i = Xkt {Pi) ■ 

Furthermore, we assume that the cryptosystem is transitive (Sect. 14.3.4). 
Then the key group M is a transitive permutation group in the classical sense 
that there exists a character a £ V n such that for each character y £ V n there 
exists an encryption step Xt £M such that y = Xt( a ) ■ This implies that the 
number of keys is greater than or equal to the power of the alphabet V n , 
\M\ > N n , and every character of V n can be related injectively to a key. In 
other words, the characters are equivalence classes of the keys. 

We may also assume a Shannon cryptosystem (Sect. 2.6.4), where the key fc,; 
is uniquely determined by a pair consisting of plaintext character pi and 
cryptotext character Cj, which implies \M\ < N n . In general, the key ki 
does not need to be uniquely determined by pt and C\ ? 

Thus, we have a pure, transitive Shannon cryptosystem with \M\ = N n , be¬ 
longing to a Latin square. The relation between characters and keys is one- 
to-one; identification of keys and characters according to s = Xs( a ) results in 

s • t = Xs»t(a) = Xs(Xt{a )) = X&) and thus xIp) = s • p , Xs»t{p) = X Xs (t) (p) ■ 
Furthermore, 

X s —i(c) = s- 1 .c=xJ 1 (c) • 

Now it makes sense to speak of X^' l (. c i)-> the cryptotext character c" de- 
crypted with the cryptotext character c( as in-phase key. A simple calcula¬ 
tion shows the important result that under the given conditions the key in 
X{i 1 (c") is canceled out, or more precisely, 

X^(c") = X^(p") ■ 

19.2.2 Differences. For (endomorphic) Shannon cryptosystems with a 
transitive key group, we form the difference dj = f X{' 1 ( c/ /) °f the two ob¬ 
served in-phase cryptotexts and look for two plaintexts p' , p'[ such that their 
difference Xj/ (Pi) equals d, . This can be attempted in a zig-zag way much 


2 Only if (N n )\ = N n , i.e., for N n = 1 or N 71 = 2, is the key necessarily a priori 
determined. This includes as interesting case only V = Z 2 , n = 1 ; then there are only 
the two encryption steps: identity O and reflection L (Sect. 8.3.1); pi = Ci gives ki = O, 
Pi / Ci gives ki = L . 



19.2 Superimposition for Encryptions with a Key Group 379 


like in Sect. 14.4; to solve it uniquely two plaintexts are needed such that the 
sum of their redundancies (Sect. 12.6, footnote 4) is at least 100%. 

If the encryption steps even form a commutative group with respect to com¬ 
position, then we have Kerckhoffs’ symetrie de position, 

Xs(t) = Xt(s) • 

For (endomorphic) cryptosystems with a commutative key group, the key 
k is uniquely determined both by p' and d and by p" and e." , since with 
c'i = Xkiip'i) also c' = X p '(/cj) and thus ki = X~/ 1 (c(). They are neces¬ 
sarily Shannon cryptosystems; if \M\ > N n , then the key group is not 
commutative. We shall find such key groups in Sect. 19.2.4. 

Moreover, in the commutative case, since Xp'(di) = p" holds, XdAp'i) = p" 
holds too. Thus p” results from p' by encryption with di as key. 

For every key group there is a set of dual encryption steps {x s } with 
Xsip) = stp- 1 , Xf\c) = c' 1 • s and X s . t -i(p) = XxJ,t)ip) ■ 
Now Xlr(c") = X p "{p'i) • For the case of a commutative key group the dual 
encryption is self-reciprocal: xj\t) = Xs(t) ■ 

19.2.3 Cyclic key groups. If (for n = 1) accompanying alphabets are 
constructed by a cyclic shift of a primary alphabet of N characters, then 
the number of keys coincides with the number of characters; in fact the key 
group is commutative and is the cyclic group of order N. Thus, VIGENERE 
encryption has this group as key group, with addition modulo N as a model, 
whereas BEAUFORT encryption (as used in the Hagelin M-209) is the dual 
of VIGENERE encryption. Here, the primary alphabets are known anyway. 

ALBERTI encryption can be treated as well, if the difference is modified. In 
the encryption table of Kerklroffs’ example, Table 24, with p as generating cy¬ 
cle (see Sect. 7.2) of the (mixed) alphabets and with the primary substitution 

p _ abcclef ghi j k 1 mnopqrstuvwxyz 

ZYTVWDFGHJKMQNOXRESPUBLI CA ’ 

there is A = p°P , B = p 1 P , C = p 2 P , D = p 3 P, ... , Z = p 25 P . 

We may assume that P is known already, say because an ALBERTI disk has 
fallen into the wrong hands. 

We now take up again the cryptotexts (i) and (ii) of Sect. 19.1.1. Forming 
from c" = f (ii) and d = f (i) the P-modified difference di = Xp-ip (P~ lc i), 

we find that di = p Si P if and only if in the known mixed alphabet of P one 
has to go Si steps in order to get from c" to c(. The result is 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 

c" U HWP R BQLKI B LWR E JR.BKL HI 

d UHYBRJIMBCF A MM F J H DMR IQ 

d aaxca olplb ldhvp askbu pp 

S 0 0 23 2 0 14111511 1 11 3 7 2115 0 1810 1 20 1515 
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Now di = x P -i c > ( P 1 c") = Xp - V {P 1 Pi) i the known d can be interpreted 
as cryptotext, obtained under y -1 with P~ l p' as (unknown) key from P~ 1 p" . 
This swapping of roles opens up all possible attacks for the determination of 
the key, using key patterns and key letter frequencies. 

For example, di = a (which occurs for i = 1,2,5,16) means identity of 
p\ and p” . In French, this happens with a frequency of about 30% for 
p[ = Pi = /e/ , while p\ = p " = /a/ and p\ = p" = /s/ each occur with 
a frequency of only 10%. (In fact, the bold assumption /e/ would be ful¬ 
filled for i = 2,5,16, while /I/ occurs for i = 1). In view of the information 
given about the genre, the method of the probable word is to be recom¬ 
mended. Thus, assuming we are dealing with the French language and in the 
circumstances the probable word ennemi , it remains to check exhaustively 
whether there corresponds to one of the possible positions of ennemi in p" a 
meaningful French word in p' (or vice versa). The following successive trials 


p" 

1 

2 

3 

4 

5 

6 7 8 

9 10 

ii 

12 

13 14 15 

16 

17 18 19 20 

21 22 

e 

n 

n 

e 

m 

i * * 

* * 

* 

* 

* * * 

* 

* * * * 

* * 

d 

a 

a 

X 

c 

a 

O 1 p 

lb 

1 

dhvp 

a 

s k b u 

P P 

6 

0 

0 23 2 

0 

14111511 1 

11 3 

7 2115 

0 1810 1 20 

1515 

P' 

e 

n 

k 

g 

m 

w * * 

* * 

* 

* 

* * * 

* 

* * * * 

* * 

p" 

i 

2 

3 

4 

5 

6 7 8 

9 10 

11 

12 

13 14 15 

16 

17 18 19 20 

21 22 

* 

e 

n 

n 

e 

m i * 

* * 

* 

* 

* * * 

* 

* * * * 

* * 

d 

a 

a 

X 

C 

a 

o 1 p 

lb 

1 

dhvp 

a 

s k b u 

P P 

6 

0 

0 23 2 

0 

14111511 1 

11 3 

7 2115 

0 1810 1 20 

1515 

P’ 

* 

e 

k 

P 

e 

at* 

* * 

* 

* 

* * * 

* 

* * * * 

* * 

p" 

i 

2 

3 

4 

5 

6 7 8 

9 10 

11 

12 

13 14 15 

16 

17 18 19 20 

21 22 

* 

* 

e 

n 

n 

e m i 

* * 

* 

* 

* * * 

* 

* * * * 

* * 

d 

a 

a 

X 

C 

a 

O 1 p 

lb 

1 

dhvp 

a 

s k b u 

P P 

6 

0 

0 23 2 

0 

14111511 1 

11 3 

7 2115 

0 1810 1 20 

1515 

P' 

* 

* 

b 

P 

n 

S X X 

* * 

* 

* 

* * * 

* 

* * * * 

* * 

P" 

i 

2 

3 

4 

5 

6 7 8 

9 10 

11 

12 

13 14 15 

16 

17 18 19 20 

21 22 

* 

* 

* 

e 

n 

n e m 

i * 

* 

* 

* * * 

* 

* * * * 

* * 

d 

a 

a 

X 

C 

a 

O 1 p 

lb 

1 

dhvp 

a 

s k b u 

P P 

6 

0 

0 23 2 

0 

14111511 1 

11 3 

7 2115 

0 1810 1 20 

1515 

P’ 

* 

* 

* 

g 

n 

b p b 

t * 

* 

* 

* * * 

* 

* * * * 

* * 


and some more are unsuccessful, but in the 13th position (and nowhere else) 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 

p" ***** ***** **enn e m i * * * * 

d aaxca olplb ldhvp askbu pp 

S 0 0 23 2 0 14111511 1 11 3 7 2115 0 1810 1 20 1515 

p f ***** ***** * * 1 i c e e s * * * * 

emerges with /licees/ as a fragment that can be enlarged reasonably into 
/police_est/ . (In p' , /ennemi/ is a flop.) Now with interchanging the roles 
of p' and p" comes 
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1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 

p" ***** ***** elenn emis* ** 

d aaxca olplb ldhvp askbu pp 

5 0 0 23 2 0 14111511 1 11 3 7 2115 0 1810 1 20 1515 

p f ***** ***** pol ic eest* ** 

suggesting enlargement to /de 1’ ennemi sont/ . Backwards again we get 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 

p" ***** * * * * d elenn emiso nt 

d aaxca olplb ldhvp askbu pp 

5 0 0 23 2 0 14111511 1 11 3 7 2115 0 1810 1 20 1515 

p r ***** * * * * e polic eesti ci 

In this way, a probable word can serve as a seed which in a zig-zag manner 
grows to the right and to the left in both texts. The method allows especially 
the use of non-content words, endings and prefixes, which are not rare; in 
English /and/, /the/, /that/, /which/, /under/, /tion/, in French /les/, 
/que/, /ion/, in German /und/, /ein/, /ung/, /bar/, /heit/, /unter/ . In 
our example a new seed is successful, and with /les/ in 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 

p" les** ****d elenn emiso nt 

d aaxca olplb ldhvp askbu pp 

5 0 0 23 2 0 14111511 1 11 3 7 2115 0 1810 1 20 1515 

p' 1 e p * * * * * * e polic eesti ci 

we may try perhaps /leprefetd/ in p' and get with a little bit of luck a 
confirmation by the supplemented /lespertes/ in p" : 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 

p" lespe rtesd elenn emiso nt 

d aaxca olplb ldhvp askbu pp 

5 0 0 23 2 0 14111511 1 11 3 7 2115 0 1810 1 20 1515 

p' lepre fetde polic eesti ci 

This ends the decryption of the two cryptotext fragments. Only the decryp¬ 
tion of the shorter one of two such texts can be obtained in this way, of 
course, but there is still the key that has not been used so far. It can be 
reconstructed now: Juxtaposition of p' and c' gives according to Table 24, 
which was assumed to be known, 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 

c' UHYBRJIMBCF A MM F JHDMR IQ 

p r lepre fetde polic eesti ci 

k JEMEM ETSSU RLADE FENS I VE 
and again confirmation by a ‘meaningful’ key sentence, which could be con¬ 
tinued periodically. For the success of this zig-zag method, it was sufficient 
that both plaintexts had distinctly more than 50% redundancy. 

19.2.4 Other key groups. The key group we just dealt with, typical for 
ALBERTI encryption and especially for VIGENERE (dually: BEAUFORT) 
encryption, is as said above the cyclic group Cn of order N, where we have 
V = W = 1^. It is only one example for groups of prescribed order. For Z 26 , 
there is besides C 26 another commutative group: the direct product C 13 x C 2 
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of the cyclic group of order 13 and the cyclic group of order 2. It is the group 
generated by 13 PORTA encryptions which is obtained by an intermediate 

coding Z 26 -x- Z 13 xZ 2 . There is also a non-commutative group of order 26, 

the dieder group V i 3 , with the generators S and T; S 13 = T 2 = (ST) 2 = I 
which it seems has so far no relevance in cryptology. 

For Z 25 there is next to the cyclic group C 25 a further commutative group: 
the direct product C\ = C 5 x C 5 of two cyclic groups of order 5, obtained 

by the intermediate Polybios coding Z 25 ->- Z 5 x Z 5 . There is no non- 

commutative group of order 25. For Z 10 there is next to the cyclic group 
C 10 the commutative group C 2 x C 5 reached by the intermediate biquinary 

coding Z 10 ->- Z 2 x Z 5 . There is also the non-commutative Dieder group 

V 5 with the generators S and T ; S 5 = T 2 = (ST) 2 = I . 

In view of binary coding, particularly interesting groups are those of order 2" . 
For arbitrary j the commutative groups C 2 j and C 2 == C 2 x C 2 x ... x C 2 are 
most prominent. For j = 2 we have the cyclic group of order 4 and Klein’s 
Vierergruppe. For j = 3 there are additionally the non-commutative quater¬ 
nion group Q and the non-commutative Dieder group 2? 4 with the generators 
S and T ; S' 4 = T 2 = (ST) 2 = I , both without cryptological relevance. This 
remark also applies to a handful of non-commutative groups for j = 4, 5. 

For the difference between Z 2 „ and Z 2 (as well as for the difference between 
Z 10 n and Z 10 ), namely the lack of the carry mechanism, see Sect. 8.3.3 . 

0t4o2hnm5lrgipcvezdbsyfxawj3uqkl 

00000000000000001111111111111111 16 

00000000111111110000000011111111 8 

6666iiii6666iiii6666iiii666oiiii 4 

00110011001100110011001100110011 2 

01010101010101010101010101010101 1 

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 

Table 25. Binary coding used in cryptography, based on CCITT 2 (Table 27) 

0: Blank, 1: Letter Shift, 2: Word Space, 3: Figure Shift, 4: Carriage Return, 5: Line Feed 

(B.P.: / 8 9 5 or +3 4 ) 

(FRA: 6 3 5 4 1 2 ) 

19.2.5 The special case C\ of Vernam. A representation of Z 25 is the 
1929 vocabulary of the International Teletype Alphabet No. 2 (CCITT 2), 
going back to Baudot in 1874 and Donald Murray in 1900. The 5-channel 
representation suggests an encryption (Sect. 8.3.1) Ci=pi © k % by addition 
modulo 2 , the key group of which is C 2 = C 2 x C 2 x C 2 x C 2 x C 2 (and not 
C 25 ), namely an encryption with 32 alphabets, generated by substitutions O 
(identity) or L (reflection), see Sect. 8.3.1, of the five binary characters. The 

actual coding Z 32 -^Z 2 of CCITT 2 is shown in Table 25. Apart from 26 

(lowercase) letters there are six control characters of the teletype machine, 
whose function is meaningless on the cryptographic line; we designate them 
with 0, l, 2, 3, 4, 5 and use 2 as a word separator (actually, 12 was used; 
this was a weakness, see Sect. 19.2.11). Table 26 shows the natural encryption 
table which, based on addition modulo 2 , one can presume to be known. 
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Oabcdefghi j klmnopqrstuvwxyz23451 

O OABCDEFGHI JKLMNOPQRSTUVWXY Z 2 3 4 5 1 
A A0GFR5CBQS 4 N Z 1 K3YHD IW2XTVPLUOJ EM 
B BGOQTOHAF 1 LPJ SYEKCWMD V UR2N4X5Z3 I 
C CFQ0UKAHG4 SEML 5POB2 JVDTXW 3 1 R Y I N Z 
D DRTU042WXK5 I 3YS Z 1VANBCQGHMOFLEJ P 
E E50K4 0N3YURCWXFBQPJ 2 Z I 1 LMHTSGDAV 
F FCHA2N0QBJ I 5 1 ZEY3GU4XRWV TOMDPSKL 
G GBAHW3Q0CMZY 4 I P 5NFT 1 RX 2DUKJVELOS 
H HQFGXYBCOL 1 3 I 40N 5AVZ 2WRUDESTKMP J 

1 I S 1 4KUJMLOFDHGRVTZNAPEOY3WQ 5 X C 2 B 
J J4LS5RIZ1F02BQUWXME C 3 NYOPVGKTADH 
K KNPEIC5Y3D20XWA QBOSR1 4 ZMLGVJHUFT 
L LZ JM3W1 4 I HBX0CVR2 SOQ5YNEKUAPDGTF 
M Ml SLYXZ I 4G QWC 0T2RJPBN3 5KEDFOUHVA 
N NKY5 SFEPORUAVTOHG3 I DM] L 1 ZBX4Q2 CW 
0 03EPZBY5NVWQ R2H0CKLX4 1 I J SFDMATGU 
P PYKO1Q3N5TXB2RGC0EMWIZ4SJAULFVHD 
Q QHCBVPGFAZMOS J 3KE0XLUTD2R5 IWN1Y4 
R R.DW2 A JUTVNESOP I LMXOKGFHBQ 1 3CZ54Y 
S S IMJN2 4 1 ZACRQBDXWL K0Y5 3 POTHEVFUG 
T TWD VBZXR2P3 1 5NM4 IUGYOQCAFSEHJOLK 
U U 2VDC I RXWEN 4Y 3 J 1 ZTF5QOBHGLPAMKSO 

V VXUTQ1W2ROYZN5LI4DH3CB0FAJKGSPME 
W WT RX G LVDUYOMEK 1 JS2BPAHF0CI 5Q43ZN 
X XV 2WHMTUD3 PLKEZ S J RQOFGAC 0 4 N B IY1 5 

Y YPN3MHOK EWV GUDBFA5 1TSLJ I 402ZCXQR 
Z Z L 4 lOTMJ SQGVAFXDU I 3HEPK5N 2 OYRBWC 

2 2UXRF SDVT5KJ P04MLWCEHAGQBZY 0 INI 3 

3 305YLGPEKXTHDUQAFNZV JMS 4 I CR1 0 WB 2 
I 4 J Z I EDSLMCAUGH2TV 1 5 FOKP 3YXBNW0 RQ 
5 5E3NJAKOP2DFTVCGHY4ULSMZ 1 QWI B R 0 X 
1 1MIZPVLS JBHTFAWU D 4 YGKOEN 5 RC 3 2QX0 

Table 26. Encryption table (Latin square) for teletype symbols: addition modulo 2 in Zt) 


It is regular to use key letters 0, A, B, C, Z, 2, 3, 4* 5, 1 denoting the 
keys. Note that in Table 26 the key letter 0 in the first line acts as a neutral 
element, since it leaves the letters unchanged. Moreover, the key letter 1 in 
the last line acts as an inverter, interchanging pairwise (‘swapping’) 

0 and 1, a and m, b and i, c and z, cl and p, e and v, f and 1, g and s, 

h and j, k and t, n and w, o and u, q and 4, r and y, x and 5, 2 and 3. 

However, it is easily seen that the remaining 30 keys also have this property, 
for example, key letter A in the second line swaps 

0 and a, b and g, c and f, cl and r, e and 5, h and q, i and s, j and 4, 

k and n, 1 and z, m and 1, o and 3, p and y, q and h, t and w, u and 2. 

Thus, the encryption step and its reciprocal, the corresponding decryption 
step, coincide. Bitwise binary encryption is necessarily self-reciprocal, the 
matrix in Table 26 is symmetric—which is a great advantage for practical 
work. Moreover, it can be seen from Table 26 that the key letter could be 
reconstructed if a pair of plaintext letter and corresponding cryptotext letter 
were given. For example, if the plaintext letter w was encrypted by the 
cryptotext letter G , the key letter was D. 
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19.2.6 Cryptanalysis of Vernam encryption. The teletype coding was 
widely known from the turn of the century, and via Vernam the professional 
cryptologists were also familiar with it; the obvious natural key group 
was concretely known. Thus, all preconditions for an attack as in Sect. 19.2.3 
were fulfilled, and in particular the key character could be reconstructed 
(because of the commutativity of the key group) from plaintext character 
and cryptotext character. 

A fictitious example of a break may have gone like this: Two cryptotexts of 
roughly the same length near 4000, picked up by the British at the time of 
the German attack on Crete in mid-May 1941 on a Wehrmacht line Vienna- 
Athens, contained after coinciding preambles, presumably in phase, the frag¬ 
ments (in B. P. called a ‘depth of two’) 

c" 2 WH NR G1ATU APLBV RWO UFYPBSXZNR4J SR 

d L 0 G 2 A WGH 2Z KBVZV Q ZWYK YW J I0KT5AZ 2 K 

The British formed the difference d=d '® d (performing addition modulo 2) 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 

c" 2 WH NR G1ATU APLBV RWO UFYPBSXZNR4J SR 

d L0G2AWGH2Z KBVZV Q ZWYK YW JI0KT5AZ 2 K 
d fwcwd dvqkp nkn40 x 5 j 15 Oslax vm4jg gs 

and used the probable word /2kreta2/ to find a reasonable counterpart. They 
discovered at the fourth position 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 

p" * * * 2 k reta2 ***** ***** ***** ***** ** 

d fwcwd dvqkp nkn40 x 5 j 15 Oslax vm4jg gs 

p r * * * n i a2und ********** ********** ** 

A short look at the map of Greece suggests for p" a supplementation to 
/chania/ and gives: 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 

p" auf2k reta2 ***** ***** ***** ***** ** 

d fwcwd dvqkp nkn40 x 5 j 15 Oslax vm4jg gs 

p' chani a 2 u n d ***** ***** ***** ***** ** 

Now some more geographic names, following the /und/ , could be tried. 
Another way takes a further probable word, say /2angriff2/. The people at 
Bletchley Park had success in position 19 of p” with: 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 

p" auf2k reta2 ***** ***2a ngrif t 2 * * * ** 

d fwcwd dvqkp nkn40 x 5 j 15 Oslax vm4jg gs 

p' chani a2und********fen2ostwae** ** 

Now it is almost finished: the missing piece in p' should read /2die2haefen/ , 
followed by /ostwaerts2/. This gives: 
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1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 

p" a u f 2k reta2wird2der2angrif f 2 d e r 2g 

d fwcwd dvqkp nkn40 x 5 j 15 Oslax vm4jg gs 

p' chani a2und2die2haefen2ostwaert s2 

In readable form: 

‘ auf-kreta-wird-der-angriff-der-g .’ 

‘ chania-und-die-haefen-ostwaerts- .’ 

The cryptanalysts could proceed similarly with other fragments of the text. 
The exacting cross-ruff was certainly fascinating, too. 

The British could now also reconstruct the key. However, since in Of 
subtraction and addition coincide, first the right pairing of plaintexts and 
cryptotexts had to be found. The two possible juxtapositions result in: 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 

p f chani a2und2die2haefen2ostwaert s2 
jfel MH BWS T S WWO TTOTE ALLOC BNWAT MW A D E G T 

d L0G2AWGH2Z KBVZV QZWYK YWJ I 0 K T 5 A Z 2 K 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 

p" auf2k reta2wird2der2angrif f 2 d e r 2 g 

k'2 ZUQON B36MCM2HOE VTBRN BDEOF 5KJ 5 3 OY 
d L0G2AWGH2Z KBVZV QZWYK YWJ I 0 I(T 5 A Z 2 K 

The two possible keys differ by d. The cryptanalysts may well have deci¬ 
ded for a less irregular key text, like k \, assuming that the machine had a 
reasonably uncomplicated mechanism showing some local regularity. 

19.2.7 Historical remark: Baudot and the teletype alphabet, Ver- 
nam. The invention of a ‘printing telegraph’ by David Edward Hughes in 
1855 had to wait a long time before it came into practical use. A large step 
forward was made by the French engineer Jean Maurice Emile Baudot (1845- 
1903) who invented a system of telegraphy where, in contrast to the Morse dot 
and dash system, all symbols were encoded by groups of the same length—32 
letters and other symbols were represented by groups of five characters, the 
characters meaning ‘current’ (mark) or ‘non-current’ (blank). This kind of 
encoding—it can be traced back to Francis Bacon (1605)—allowed a simple 
mechanism for teleprinting, with a keyboard on the sending side, and was 
superior to the teletype machine Hughes had invented. 

Baudot was one of the great pioneers of modern telegraphy. In 1895, Au¬ 
gust Raps (1856 1920) invented a Schnelltelegraph for the Siemens company. 
After the turn of the century, further improvements were made by Fred¬ 
erick George Creed and Donald Murray. In the USA progress was made 
by Edward Kleinschmidt (1875-1977) with the Springschreiber , which after 
1927 was built under licence by C. Lorenz A.G. in Berlin. Herbert Wiisteney 
(1899-1988) designed modern devices for the Siemens company that came 



386 19 Compromises 


into public use in 1933 through the German Reichspost. In 1939, the German 
public telex network had 1500 subscribers. 
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Table 27. International Teletype Alphabet No. 2 (CCITT 2) 

The following correspondence, known from the typewriter keyboard, holds between figures 
and letters: 1= q, 2= w, 3= e, 4= r, 5= t, 6= y, 7= u, 8= i, 9= o, 0= p. 


In 1929, the ‘International Teletype Alphabet No. 2’ (CCITT2), going back 
to Donald Murray (1900), was introduced. Table 27 shows the representa¬ 
tions. It has 26 letters and 26 other symbols, as well as control symbols for 
letter shift. (|) and figure shift (|), for space (|||), carriage return (<), line 
feed (=). A bullet means ‘current’, a blank ‘non-current’; the all-blank com¬ 
bination No. 32 (‘ void ’) was not to be used. Thus, to transmit the letter F 
and the word FED, the signals are in ‘neutral’ (non-polar) signalling systems 


J I I 1 I 

F 



D 


The polyalphabetic bitwise encryption discussed 
above was proposed in 1918 by the young Amer¬ 
ican engineer Gilbert S.Vernam (1890-1960), an 
employee of A. T. & T., when he was charged by his 
boss R. D. Parker with developing a secrecy system 
for teletype communication (US Patent 1,310,719). 
Since 5-channel punched paper tape was frequently 
used to run teletypewriters, Vernam thought of 
punching a tape of key symbols as well. A one-time 
key (see Sect. 8.8) could be used, genuinely random, 
endless and senseless, to give unbreakable encryp¬ 
tion. In effect this meant only that the addition 
table for the bitwise encryption of 5-bit groups had 
to be implemented by suitable electromechanical circuitry. As to the key, 
sender and recipient had to have identical copies, since the encryption was 
self-reciprocal. But key distribution would cause a problem anyhow. Thus, 
sacrificing the holocryptic key, key generation by identical mechanisms in 
the encryption devices was a way out. Both Siemens und Halske A.G and 
C. Lorenz A.G. in Berlin went this way with commercial machines. In the 
USA it was done rather late and in a more clandestine way by the Army 
Signal Intelligence Service with the SIGTOT machine of 1944. 



Gilbert Vernam 
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The cipher teletype machine T 52 ( Geheimschreiber ), built by the Siemens 
company, was openly described in the German Patent No. 615 016 by August 
Jipp and Ehrhard Rossberg (Sect. 9.1.3); the US Patent No. 1912 983 for 
Jipp, Rossberg, and Eberhard Hettler was granted June 6,1933. Thus it 
was not too difficult for the British in Bletchley Park to judge the situation 
realistically. The cipher teletype machines SZ40 ( Schliisselzusatz ), developed 
in the mid-1930s, and the improved SZ 42, developed since 1938 with variants 
A, B, and C, were built by the Lorenz company. Luckily for the British, the 
Schliisselzusatz used only the 32 Vernam encryption steps originating by sub¬ 
stitutions O or L of the five binary characters, while the Geheimschreiber , 
as explained in the patent, used also permutations of the bits (Sect. 9.1.3, 
more in Sect. 19.2.10), and thus had a key set with many more than 32 keys. 

In the Lorenz Schliisselzusatz (Plate N) a first group of five cipher wheels 
(called x-wheels by the British, xi> X 2 , X3> X4> Xs)> with 41, 31, 29, 26, and 
23 teeth operated with Vernam steps on the 5-bit code groups; at each step 
all x-wheels were moved by one tooth, “the most interesting feature of the 
SZ 40/42” (Franz-Peter Heider 1998). A second group of five cipher wheels 
(called V’-wheels by the British, ip 1 , %f 2 , 4>3, V’s) with 43, 47, 51, 53, and 59 
teeth operating additionally with Vernam steps on the 5-bit code groups, fol¬ 
lowed serially. Thus, a double Vernam encryption was performed. Two extra 
wheels served to produce irregular wheel movement (they were correspond¬ 
ingly called ‘motor-wheels’ or /x-wheels); one, denoted /ti, with 61 teeth, 
moving with the x-wheels, controlled by means of its cams the movement 
of another one, fi 2 , with 37 teeth, which in turn controlled the simultaneous 
movement of the /^-wheels; at each step all ^-wheels were moved by one tooth 
if permitted by the cams of the p 2 (‘irregular movement’). The order of the 
wheels was (from left to right) Xi, X 2 , X 3 , X4, Xs, 9 - 2 , 9i, Vh, V’ 2 , ip 3 , V>4, V >5 • 

As with the Siemens machine, the numbers of teeth were chosen such that 
they have no common multiple. Thus, the period was 41 • 31 • 29 • 26 • 23 • 37 • 
61 • 43 • 47 • 51 • 53 • 59 , i.e., more than 10 19 . All wheels could be arbitrarily set 
up with cams controlling the Vernam switches. They could also be brought 
by thumb wheels to arbitrary initial settings determined by the operating 
instructions. They clicked into position with a number showing. 

The double Vernam encryption in the Lorenz machine did not really compen¬ 
sate for the additional complication that the permutations introduced into 
the Siemens machine and the two motor wheels turned out to be no great bar¬ 
rier either. The British were lucky that the Siemens machine was not meant 
to be used for wireless communications, the signals they could intercept were 
for the most part encrypted with the weaker Lorenz machine. 

19.2.8 ZMUG: Tiltman. To use at the highest level of the German 
Wehrmacht-Nachrichtenverbindungen the cipher teletype machines SZ 40 and 
SZ 42, which generated their key by a semiregular movement, was thus utterly 
risky if a plaintext-plaintext compromise could not be excluded. 
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19.2.8.1 In July and August 1941, the German army tested a Hellschreiber 
line between Vienna and Athens having an SZ 40 Schliisselzusatz on both 
ends. They transmitted 12-letter indicators preceding the message in clear 
language, using a spelling alphabet as shown in Fig. 159, where the resulting 
indicator MGLOBLCOODKQ is written by hand across the top of the W/T 
‘red form’ sheet. The sloping text is typical for the Hellschreiber record, it 
is glued to the sheet. 


If fipQ G UOfiuC OOJKlf 

Time of Origin, Signature, etc. Write across the page, code and cypher on every third line. 

- V/// ///// .//>» GUSTA Y&u Z\rl 90TT D 

if/ff, tHtO/ffi ite !W OlZTtt S!5? 90TT0 






-■' 

991.' 

K 8 & 5 

%us 0 

mus rtt/Tn ? 

90TTD 

TTIJjJ 9BTT0 fionns 



—ill S las Fas 'SB Sf - 

-i . . i L 1.._ 


Fig. 159. Facsimile of a British Hellschreiber recording of a German message (08/08/1941) 
Cleartext: ///// //MAR THA99 GUSTA V99LU DWIG9 90TT0 99BER TA99L 
UDWIG 99GUS TAV99 OTTQ9 9QTTO 99DOR A99KO NRAD9 9QUEL LE999 


When the British studied these enciphered signals, they found hints that a 
VERNAM-type encryption based on teletype machines was involved, in par¬ 
ticular when some of the message indicator spellings were corrupted (hOinrich 
for heinrich, th0o3or for theodor) in a message sent out on July 22,1941. It 
was observed that the corrupted name and its correct form had 5-bit tele¬ 
type representations differing only in the first bit. This could be explained 
by some fault in a teletype machine. Thus, it was a natural assumption 
that a VERNAM system was used, but not one of the Siemens machines as 
described in the patent of 1930, which used ten keying wheels leading to a 
10-letter indicator, while the observed indicators had 12 letters. 

The fact that the VERNAM system has a key group (see Sect. 19.2.1, pure 
encryption) considerably simplifies the cumbersome encryption and decryp¬ 
tion process, but it also makes unauthorized decryption easier. When August 
Jipp and Ehrhard Rossberg applied for the Geheimschreiber patent in 1930 
there was no indication of this danger in the unclassified literature. But 
several of the cryptanalytic services studied the description of this machine 
and it can be safely assumed that at least some British very early found out 
about some weaknesses even the Siemens Geheimschreiber offered. 






19.2 Superimposition for Encryptions with a Key Group 389 


19.2.8.2 A lack of crypto discipline is the enemy of good cryptography and is 
the hope of the unauthorized decryptor. As well as laziness, thoughtlessness is 
dangerous. Thus, in July and August 1941 a lot of test messages were sent on 
the Vienna-Athens line and since these contained no information that should 
be kept secret, nobody on the German side was disturbed when ‘isologs’ oc- 
cured, that is, two messages encrypted in-phase with the same key. On July 
3,1941, a pair of isologs with the indicator DKTNFQGWAOSH (nicknamed 
afterwards WAOSH) was found; on July 21, 1941 another one with the in¬ 
dicator KONPAENGFQBZ (nicknamed afterwards GFQBZ). These isologs, 
starting in July 1941, were clearly evident to the British, since the identical 
indicator, expressing the initial setting of the wheels, was transmitted openly 
in front of the message. The whole SZ40 cipher system was compromised by 
this error. The British recorded pairs of isologs in the hope that something 
like the Siemens Geheimschreiber with a letter subtractor cipher was used. 
By July 1941 their assumptions were confirmed. A group 33zzzll (meaning 
+-1—h), which had appeared occasionally in clear preambles, was tried as the 
clear at the front-end of one message, and the clear of the other message from 
the pair came out as seven letters of the word spruchnummer (message num¬ 
ber), usually found at the beginning of a message. This was enough evidence 
that a so-called additive cryptosystem was used on the Hellschreiher link; it 
was given the codename Tunny. 

The disaster for the Germans indeed developed much 
earlier than one might have expected. As reported in 
1993 by Jack Good (first allusions were made in 1978 
by Brian Johnson and in 1983 by Andrew Hodges), a 
plaintext-plaintext compromise occured even before 
the Schliisselzusatz came into regular use, when, dur¬ 
ing tests, as a consequence of a mistake by a German 
telegraphist, two rather long messages p”, p' were sent 
with the same indicator HQIBPEXEZMUG (nick¬ 
named ZMUG); two isologs of roughly 4000 charac¬ 
ters, coinciding in the first seven characters, were John Tiltman (1894-1982) 
recorded. As it turned out, the first message was corrupted by atmospheric 
noise and had been sent again. It should have been repeated identically, 
which, however, is rather difficult, and the operator made minor deviations. 
The compromise allowed Colonel (later Brigadier) John H. Tiltman to deduce 
painstakingly the two plaintexts from the difference d of the two recorded 
cryptotexts c', c" (a ‘depth of two’), using the fact that the difference p' —p" 
of the plaintexts is invariant under in-phase encryption: p' — p" = d — S’. 
(Note, that for addition modulo 2, subtraction coincides with addition.) 

19.2.8.3 As is now known, the accident happened on August 30,1941. 
The first 120 characters of the two messages are shown below, together with 
the differences that Tiltman formed (this can be checked with the help of 
Table 26): 




390 19 Compromises 


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 

c" JSH5N ZYMFS 01151 VKU1Y U4NCE JEGPB 
d JSH5N ZYZY5 GLFRGX05SQ 5DA1J JHD50 

d 00000 OOfou g f 1 4 m aqsg5 sekzr Oywhe 

31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 70 51 52 53 54 55 56 57 58 59 60 

c" MNTQMA0U4Y L1QI J LYVIN UB2 3R 5 WE V G 

d BKSUC BTT05 E4TSL E3FGZ YUHVH 3HEE 0 

d saytl gtqtq wquab wcwmx lvtsv buOlg 

61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 

c" QI245 GRJML CY50HKAS1I S5XUN SRZZB 

d TG2HH 1QJXVK1BJMK20MZ YVIN3 HMC3D 

d umOmp sxOen e r 3 j 4 Ouxaq ti3 j q zplrt 

91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 

c" DBB1C LSQHH UH5XD 0FN3J 3VOCA DJCDN 
d UQ3 4Z R2MRMOH5JQ PWUEY CPRG1 LDATI 

d cc5ql o e j v4 lOOpv pvjgv y 41hm 35fbr 

The task now is to test the occurrence of a probable word in one of the mes¬ 
sages. If Tiltman tried as a probable word the very frequent word geheim2, 
he would have succeeded twice in finding an intelligible counterpart, 

61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 

p" * * * * g eheim2**** ***** **geh e i m 2 * ***** 

d umOmp sxOen e r e j 4 Ouxaq t m 3 j q zplrt c c 5 q 1 

p' ****n 2deut s * * * * ***** **era t t a c * ***** 

n2deuts can easily be supplemented to an2deutsch , and erattac leads to 
2militaerattache2 ; the gap is filled by an2deutschen2milita . Thus already, there 
results a probable fragment for p' with a length of 29 characters 

61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 

p" ****g eheim2**** ***** **geh e i m 2 * ***** 

d umOmp sxOen e r e j 4 Ouxaq t m 3 j q zplrt c c 5 ql 

p' ***an 2deut schen 2 m i 1 i taera ttach e 2 * * * 

that produces 29 consecutive characters for p" as well: 

61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 

p" * * * 1 g ehe im 22kr2 2 3 3 z z Olgeh e i m 2 2 kr*** 

This shows that, in accordance with a pet silliness on the German side, 
geheim was doubled; the doubling of the complete group Igeheim22kr2233zz 
leads to an extension for p', which makes sense apart from two discrepancies 
(positions 94,9s): 

81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 

p" Olgeh eim22 kr223 3zzl2 

d t m3 j q zplrt c c 5 ql oejv4 

p' taera ttach e2i (w)2 a t (g)e n 

The discrepancies are probably the result of sloppiness and can be corrected. 
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One could continue in this zig-zag fashion. However, by this stage, if not 
earlier, the suspicion arises that the rest of the message p' is simply shifted 
against p" , and this by 39 positions, since an2deutschen2militaerattache2 in the 
position 103 of p" makes sense again, producing in p' laggllnr33mwoou2llg (in 
readable form, and with a typing mistake corrected, lage nr.2997 u g, where u 
means a space): 

86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 

p" e i m 2 2 k r 2 3 3 3 z 1 1 2 * * a n 2 deuts c h e n 2 mi lit 

d zplrt c c 5 ql oejv4 lOOpv pvjgv y41hm 3 5 f br 

p' ttach e2in2 athen * 1 a g g 1 1 n r 3 3mwoo u211g 

Thus, the continuation can now be produced mechanically by looking ahead 
39 characters, until new deviations occur—quite similar to the autokey fallacy 
Shannon described (Sect. 8.7.2). It is reported that Tiltman finished the de¬ 
ciphering in two months. This may have been because further errors caused 
by noise made the break more difficult than a retrospective analysis shows. 
Anyhow, an uninterrupted message was constructed using this particularly 
lucky situation. Normally only isolated parts of the message will be found 
by such a cross-ruff technique. This was why Tiltman’s attempts with the 
very first pairs of isologs failed. However, when later teletype machines were 
used instead of the Hellschreiber, a second text staggered by a few characters 
will be produced if “the paper tape is pulled back a few characters into 
the length of blank tape which ordinarily precedes the start of the plaintext 
message” (Donald Michie). In this way, the operator assured himself that the 
initial characters of the plaintext cannot be lost. The effect is disastrous. 

19.2.8.4 Incidentally, if the probable word nummer2 is tried in p", a possible 
success turns up in the positions 7 , 8 , 9 , 10 , 11 , 12 , 13 : 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 

p ff ***** *nummer2** ***** ***** ***** 

d 00000 OOfou gf 14m aqsg5 sekzr Oywhe 

p f ***** *nr23 3 u p * * ***** ***** ***** 

imrnmer can most likely be extended to spruchnummer and there is a change 
from nummer to nr ; this suggests successive continuations shifted by 4 
positions (a ‘stagger’ of 4 characters): 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 

p" sprue hnummer233 up*** ***** ***** 

d 00000 OOfou gf 14m a q s g5 sekzr Oywhe 

p f sprue hnr23 3upwu 2e*** ***** ***** 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 

p" sprue hnummer233 upwu2 e**** ***** 

d 00000 OOfou gf 14m a q s g5 sekzr Oywhe 

p f sprue hnr23 3upwu 2epxi 2**** ***** 
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The plaintext piece nr233upwu2epxi2, in readable form nr u 7027 u 30/8 (where 
u means a space), seems to contain the date; knowing the German pre¬ 
dilection for doubling important pieces of text, upwu 2 epxi 2 can be tested for 
further occurrences in p'. There is success in positions 29,30,31,32,33,34,35,36,37,3s; 
a repeated fragment upw shows up in p": 

6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 3940 

p" hnumm er233 upwu2 e * * * * * * * w q p2zz 2 upw** 

d OOfou gf14m aqsg5 sekzr Oywhe saytl gtqtq 

p f hnr23 3upwu 2epxi 2**** ***upwu2ep xi2** 

Prefixing the second occurrence of upwu 2 epxi 2 by 2 in p' now has the 
consequence of prefixing wqp 2 zz 2 upw by q in p" . This suggests testing an 
occurrence of qwqp 2 in p ', which is successful in positions 22,23,24,25,26, with 
the counterpart pmim 2 in p". This almost completes the search and results 
in 

6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 

p" hnumm er233 upwu2 epmim 2*qwq p2zz 2 upwu2 

d OOfou g f 1 4 m aqsg5 sekzr Oywhe saytl gtqtq 

p 1 hnr23 3upwu 2epxi 2qwqp 2*2upwu2ep xi2qw 

The remaining gap from position 41 to position 62 can be closed similarly: 

41 42 43 44 45 4647 48 49 50 51 52 5354 55 56 57 58 59 60 

p" 2epmi m2qwq p2zzl 1 3 3 2 ^ 
d wquab wcwmx lvtsv buOlg 
p' qpzll k r 2 k r 2gehe i m 3 3 * 

That the enciphering was made by addition modulo 2, with the consequence 
that subtraction coincides with addition (i.e., the enciphering was self-recipro¬ 
cal 3 ), was irrelevant for the zig-zag method and only facilitated clerical work. 

19.2.8.5 Note that both the availability of probable words and the frequent 
occurrence of doubling contributed to the successful break. The frequently 
used control characters 1, 2 , 3 of the teletype machine helped, too. Most 
helpful, however, was the fact that large parts of the plain messages were 
merely shifted: 

p" reads: spruchnummer u 7027u30.8.u*1210 u ++u7027 [ j30.8.u*1210u++u*** 

geheim uu kr U u++geheim L iukr U u+ 0 'Tiudeutschenumilit . 

p' reads: spruchnr u 7027 u 30/8 u * 1210u*u7027 u 30/8 u l 210+kr u kr u geheim*** 
anudeutschenumilitaerattacheuin u athemlage nr.2997 u g . 

A complication in the deciphering could have been that the date in p ', 
233upwu2epmim2, in readable form u 7027 u 30.8. u , was written slightly differ¬ 
ently in p" , namely 233upwu2epxi2, in readable form U 7027 U 30/8 U ■ 


3 Note that here the self-reciprocal enciphering, which was considered advantageous in 
practice, did not have the drawback the Enigma had, that no letter can be encrypted 
by itself: the key letter 0 , acting as a neutral element, leaves the letters unchanged. 
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19.2.9 ZMUG: Tutte. The two messages themselves were most likely 
of little value. What was important was that a fragment of about 4000 
characters of key generated by the hitherto almost unknown machine was 
exposed, since d = p' © k leads to /c = d ®p' (note that © means addition 
modulo 2). It started with (at B.P., 0 was represented by a dot, 1 by a cross) 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 

k CWVS 5 SB 3 ZB EY3 BH BBHOZ I VTfX K* F S C 

1 01010 11111 11110 11001 00001 1 110 

2 1 1 1 0 1 0 0 1 0 0 0 0 1 00 00000 1 1 000 1 00 1 

3 10110 10000 01001 00100 11001 1 111 

4 10100011010011011010010111 101 

5 01100011110111111111011010 000 

31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 

k R4EIO 2PHKZ PVEGF CZDY3 ZXYRYX4GG* 

1 00100 00011 00101 01111 11101 1000 

2 1 0 0 10 0 1 0 10 1 1 0 10 1 0 0 0 1 0 0 0 10 0 0 1 1 

3 00010 11110 11001 10010 01101 1000 

4 11001 00010 01011 10101 01010 1111 

5 00001 01101 11010 01011 11101 1011 

61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 

k * * 3QO 3VRGC RZFRT JOVCQ SXUIO 2NFYX 

1 1 10 1 0000 0 1 1 00 1 0 0 01 1 1 1 00 00 1 1 1 

2 110 11111 10010 10111 0011000000 

3 01001001 0010000111 11110 11111 

4 100 11111 10110 1111001001 01101 

5 111 11010 01001 01101 01001 00011 


91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 

k IWX2Y DH4JT MIEZP DNJ IG YRB5U YFMKM 

1 01101 10010 00110 101 10 10101 11010 

2 1 1 0 00 000 10 0 1 001 00 1 1 1 0 1 0 1 1 00 0 1 0 

3 10111 01000 11001 01001 10001 11111 

4 00100 10110 10000 11111 01100 01111 

5 01101 11001 10011 00000 10100 10101 

19.2.9.1 With the reconstructed key fragment it was possible to analyze the 
key generator of the German Tunny machine. First, it was necessary to find 
the periods of the individual keying wheels (whose existence could be inferred 
by analogy to the Siemens cipher teletype machine T 52). One could hazard 
a guess from the fact the indicator HQIBPEXEZMUG had 12 letters that 
there was a total of 12 keying wheels. Since none of the channels i to s of 
the 5-bit-key k had a period of length below 100, it was to be assumed 
that each channel was enciphered by a composition of (at least) two keying 
wheels, which the British called C/w-wheels and Psi- wheels, where first the 
Chi- wheels and second the Psi-wheels were applied. By an examination of 
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periodicity (see Chap. 17) William Thomas Tutte (1917-2002) from Trinity 
College, Cambridge , in B.P. since May 1941, first found in October 1941 the 
periods of the Chi wheels, in particular 41 for \i ; as is shown in Figure 160 . 
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Fig. 160. Periodicity examination of the keying wheel Xl » Kasiski repetitions: A, B, C . 

Keying sequence written in lines of length 41. A dot represents 0 , a cross 1 

Next, the periods of the Psi wheels were determined and the manner in which 
the two motor wheels /zi, p,\ functioned was found out. (For the complete key 
k, we shall write k = \ 0 V>, where y denotes the effect of the Chi -wheel pat¬ 
terns and if) the combined effect of the Psz-wheel patterns and their motion, 
which is controlled by the motor wheels, if) will be called the extended Psi.) 
This exposure of the key generator mechanism was accomplished by the shy 
young graduate student in chemistry Tutte, who later became a mathemati¬ 
cian well known in graph theory. He finished the task in December 1941. By 
January 1942, the whole structure of the machine that had been used for the 
HQIBPEXEZMUG message was discovered. It was indeed ‘pure cryptanaly¬ 
sis’. It turned out at the end of the war that Tunny was the Lorenz cipher 
teletype machine SZ40/SZ42, SZ42A, SZ42B. 

19.2.9.2 Analyzing the pairs of isologs WAOSH and GFQBZ (in March 
1942) now went much faster in the light of the experience ZMUG had brought, 
and some previous assumptions were confirmed. It was also found that the 
wheel order in WAOSH was the same as in ZMUG, and that the patterns 
of the Psi -wheels in WAOSH were identical with the Psz-wheel patterns of 
ZMUG, but the patterns of all other wheels were different. More isologs were 
found in February and March 1942. In the end it was well established that: 
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the order of the wheels was fixed; 

the Psz-wheel patterns remained unchanged over periods that could exceed 
one month (the patterns were changed every six months, then every 
month after October 1942); 

the CTw-wheel patterns remained unchanged over periods of many days 
(the patterns were changed once each month); 
the patterns of the motor wheels were changed comparatively frequently 
(actually every day). 

By July 1942, traffic was broken currently and a Tunny replica was working. 
With the analysis of many pairs of isologs, the mechanism of the motor wheels 
was understood. The observation of the frequent occurrence of repeated 
letters in the extended Psi stream if was made by Tutte in the first place. It 
led him to propose (in August 1942) that, in analyzing mechanically the initial 
setting of the wheels, the differences A0 (‘Delta Psi’) of consecutive letters 
in if should be used 4 . Differencing (‘Delta-ing’) if would produce a high pro¬ 
portion of the particular letter 0 = (00000), the neutral element of addition. 
Hand methods (‘Turingery’) performed in Major (later Colonel) Ralph P. Tes¬ 
ter’s group showed its effectiveness and gave the Cambridge professor Max 
Newman support for his attempts in 1943 to mechanize the determination of 
the initial wheel setting, which is discussed in Sects. 19.3.6 and 19.3.7. 

19.2.10 T52. Around 1928, the Siemens company was contacted by 

Eberhard Hettler on behalf of the Reichsmarine (German Navy), regarding 
the matter of cipher teletype machines. He requested that instead of using 
an unwieldy key tape, the key should be generated inside the cipher machine 
by cipher wheels with some form of irregular movement—an idea that had 
been used already with the commercial Enigma that the Reichsmarine was 
familiar with. Periodicity of the key was a likely outcome of this approach, 
but the German authorities did not have the scruples Mauborgne had had. 

19.2.10.1 The encryption steps of the cipher teletype machines Siemens 
developed (T 52, British codename ‘Sturgeon’) comprised 5 , apart from 32 
different Vernam-type encryption steps operating on the 5-bit code groups, 
also transpositions of the five bits—permutations of their positions, as ex¬ 
plained below. This was a remarkable improvement over Vernam, since it led 
to many more than the 32 substitution alphabets of Table 26. 

The models T 52a (1930) and T 52b (1934) were used by the Reichsmarine 
from 1931; the model T 52c (1938) was first used by the Luftwaffe, and later 
replaced by a variant T52ca which was used generally by the Wehrmacht 
and by mid-1943 simply again called T 52c. The model T 52e—semiofficially 
dubbed Geheimschreiber —appeared in 1942-1943. It is estimated that about 


4 The process of delta-ing works as follows: a change from 0 to 1 or vice versa produces 
a 1, a continuation of 1 or 0 produces a 0. 

5 In group-theoretic terms a subset of the hyper-octahedral group of order 2 s ■ 5! = 3840. 
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1000 machines were built between 1930 and 1945. Early, incomplete informa¬ 
tion on the Geheimschreiber was given by Brian Johnson and David Kahn. 
Encryption and decryption was controlled by ten cipher wheels denoted 
u>i...iuio, each one operating a binary switch ii...i 10 assuming one of the two 
positions 0 or 1. Five switches 5 could perform the 32 Vernam substi¬ 
tutions on the 5-bit code groups; following this, the remaining five switches 
*6...iio could perform altogether 2 • 2 • 2 • 2 • 2 = 32 permutations generated 
by five swaps or non-swaps according to the positions 0 or 1 of the binary 
switches i 6 ...t 10 . How this was done in the T 52a is shown in Fig. 161. 


1 

- \ ? - 

do X 


k X 

2 o' 'o 



i 7 X 

3 o' S 0 



is X 

4 r . \ 



k X 

5 ' s 

-CP-o- 




Fig. 161. Generation of 30 permutations in the T 52a 

19 . 2 . 10.2 The diagram shows a permutation of the lines numbered 1...5 
on the left side (indicating the bits of the plaintext letters), resulting in the 
bits of the cryptotext letters; as is shown in Figures 162 and 163, crossing 
the lines produces a swap, going straight ahead produces a non-swap. 




Fig. 162. Identity (12) (23) (34) (45) = (23) (34) (45) (51) 




Fig. 163. Identity (23)(34)(45) = (12)(23)(34)(45)(51) 

In fact, there are only 30 different permutations among the 32 permutations. 
This can be shown as follows: 

A swap of the lines i and k will be denoted by (ifc). Since 
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(12) (23) (34) (45) = (23) (34) (45) (51) = (54321) (see Fig. 162) 

and (23) (34) (45) = (12) (23) (34) (45) (51) = (5432) (see Fig. 163) , 
the number of different permutations cannot be greater than 30; in fact, it 
can be easily checked that it is 30. Altogether, the ten cipher wheels generate 
the large number of 960 encryption alphabets for a vocabulary of 32 letters. 
Thus, there are in most cases many encryption steps that map the i-tli plain¬ 
text letter p, of a message into the i-th cryptotext letter Cj: the whole en¬ 
cryption step is not uniquely determined by the plaintext letter p, and the 
cryptotext letter Cj. This makes unauthorized decryption more difficult, it 
would have meant a serious complication for the zig-zag deciphering method 
using differences, to be discussed in Sect. 19.2.10.4. 

However, if the plaintext letter p-i is the 5-bit code group l = ( 11111 ) or 
the 5-bit code group o = ( 00000 ), then the encryption step is uniquely 
determined by the cryptotext letter c,, since any permutation of its bits 
leaves ( 11111 ) and ( 00000 ) invariant. 

Now to the ten cipher wheels mentioned above, denoted by w\ ...Wio . The 
movement of these wheels was controlled by their having 47, 53, 59, 61, 64, 
65, 67, 69, 71, and 73 teeth, these numbers being chosen because they have 
no common multiple. At each encryption step all wheels were moved on one 
tooth by a pawl mechanism. This gave a kind of a regular wheel movement 
with a period of 47 • 53 • 59 • 61 • 64 • 65 • 67 • 69 • 71 • 73, i.e., nearly 10 18 . 
Cams sitting on the rims of the wheels and forming a very irregular pattern 
controlled the switches ii-.-Ho ■ The positioning of these cams, which could 
not be altered easily, formed part of an operating set-up remaining valid for 
some period of time. An essential part of the operating instructions was the 
starting position of the cipher wheels, which could be adjusted by thumb 
wheels. Each of the 10 cipher wheels w±...w io could be connected to various 
elements of the Vernam switches 5 and permutation switches i 6 ...«io . 

19 . 2 . 10.3 The models T 52d and T 52e (introduced in 1943 and 1944) were 
variants of T 52a/b and T 52c, respectively, featuring more “irregular” — 
i.e., intermittent—wheel movements and supporting an optional Klartext- 
funktion 6 . The T 52b (1934) was different from the T 52a only with respect 
to improved interference suppression. 

In the T 52c, developed under Herbert Wiisteney (1899-1988), a different ini¬ 
tial setting of the keying wheels could be used for each message (‘message 
key’). In the new T 52c (the T 52ca), as a consequence of new circuitry, only 
16 different substitutions and permutations occurred, reducing the number 

6 Abbreviated KTF by the British, this was a tricky device where the encryption step was 
influenced by the 5th bit of the plaintext letter two steps back, thus sometimes also called 
P 5 or P^, (2 back) (‘Plaintext Bit 5 two steps back’)—an idea that goes back to the 
Swedish inventor Arvid Damm in a 1919 patent application. It not only caused difficul¬ 
ties for the unauthorized decryption, but on noisy transmission channels also difficulties 
for the authorized recipient. For the Lorenz Schliisselzusatz, it was experimentally in¬ 
troduced in March 1943 and broken by the British in April 1943, it reappeared in June 
1944 in the SZ 42 B. 
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of encryption alphabets used for one message to 256—in the T 52e, it was 
16-15 = 240. The different variants T 52a/b, T 52c, T 52ca, and T 52e were in¬ 
compatible. A transmission line had normally the same variant on both ends. 

19.2.10.4 The British were less concerned with the Geheimschreiber, even 
though two T 52 machines were captured in North Africa by units of the 
British Eighth Army, and, according to Hinsley, B.P. “understood the design 
and method of operation [of the T 52] by the summer of 1942”. One reason 
was that T 52a/b and T 52c were used by the German Army exclusively on 
land lines, partly because synchronization of the early T 52 was not stable 
enough on noisy wireless channels. Thus there was much less traffic available. 
The T 52c and T 52e were used on wireless lines by the German Air Force, 
but since the standards of cryptanalytic security were so low in Air Force 
Enigma traffic, it was hardly necessary to deal with their T 52 traffic as well. 
On the other hand, breaking into the disciplined Enigma traffic of the Ger¬ 
man Army was more difficult, and so Tunny traffic was correspondingly more 
valuable. Ernst S. Selmer said “Later versions [of Sturgeon] were occasion¬ 
ally, but not routinely broken by B.P.”. Nevertheless, the British knew how 
to do it: quite a number of Geheimschreiber encryptions, the first ones in 
the summer and autumn of 1942 on the Sicily-Libya line, using a T 52c were 
broken. Later, a T 52b was found in Tunisia and it was discovered that the 
code wheels of this type moved regularly and that they did not combine, 
as was established with the T 52c. Then, in July 1943 a depth of five was 
found which resisted all attempts to break it. It only succumbed a year later, 
in June 1944, to a sustained attack. It turned out that it was enciphered 
on a new machine, the T 52cl. These results were achieved despite the more 
difficult cryptanalytic situation arising from the fact that the key ki was 
not uniquely determined by a pair consisting of plaintext character pi and 
cryptotext character c.j. The wiring that led to the 30 permutations used 
in the T 52a/b and T 52d (Fig. 161) was known from the German and US 
patents. The methods of attack that had proved useful against the SZ42 
could be extrapolated (with a grain of salt), although the reconstruction of 
the key was necessarily somewhat more elaborate. Indeed, permutation leaves 
the numbers of Os and Is invariant, thus identical plain letters at the same po¬ 
sition in a plaintext-plaintext compromise would lead to 0 (‘void’) as the dif¬ 
ference of the crypt letters and thus to two identical crypt letters, while plain 
letters different in all bits would lead to 1 (‘letter shift’) as the difference of 
the crypt letters and thus to two crypt letters different in all bits. Aside from 
these unique cases, there is some uncertainty (‘polymorphism’) involved in 
the cryptanalysis: for example, the ten letters asdzirlnho (Table 28), 
all having two Is and three Os, are mapped among themselves under permu¬ 
tation of their five bits, they are in the same permutation class 1 2 0 3 . 

The construction of the cipher wheels of the Geheimschreiber was also ba¬ 
sically known. The changes in T 52a/b that led to the T 52c were minor; 
the irregular movements of T 52cl and T 52e were not quite as irregular as 
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Table 28. International Teletype Alphabet No. 2 in class order 


they could have been. It was hoped that encryptions with Klartextfunktion , 
involving an autokey (‘autoclave’), would be very difficult for the unautho¬ 
rized clecryptor—and for the authorized recipient, too, if the radio channel 
was noisy. Klartextfunktion was practically nonexistent on T 52. 

19.2.11 Beurling on T52. Studying picked-up 
German teletype signals of May 25 and 27,1940, the 
Swedish mathematician Arne Beurling (February 3, 

1905-November 20, 1986), working for the Swedish 
cipher bureau Forsvarsvasendets Radioanstalt (FRA), 
needed only about two weeks to break into a German 
T 52a/b teletype line to Oslo running over Swedish 
territory—how he accomplished this he did not dis¬ 
close, he never revealed the exact way he went for 
his initial break and used to say ‘A magician does 
not reveal his tricks’. But, according to P. W. Jones, Arne Beurling(1905-1986) 
Beurling gave at least the enigmatic hint “that threes and fives were impor¬ 
tant” . Thus, he obviously had observed from some cleartext chatter that the 
Germans had the habit of using stereotypes like the sequence 12 of ‘Letter 
Shift’ 1 (3 at FRA) and ‘Word Space’ 2 (5 at FRA) in such abundance that 
frequently plaintext pairs of a 1 and a 2 would occur at the same position. 
Thus he was helped by careless signal operators on the German side whose 
lack of discipline led to frequent plaintext-plaintext compromises like 
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Note that all the coincident (bold-faced) 5-bit groups are of the permuta¬ 
tion class 1 'O 2 . Guessed plaintext pairs 1 2 are added, followed furthermore 
by QRV(‘Do you understand?’), an international standard phrase. For the 
fourth column, cryptanalysis that bypasses the polymorphism goes as follows: 
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A comparison of (plain) 2: 00100 (crypt) G: 01011 and 

(plain) 1: 11111 (crypt) U: 11100 

shows that G and U have a coincident bit only in the second position, while 2 
and 1 have it only in the third position. This suggests, that the permutation 
involved in column 4 moves the bit in the third position 3 to the second 
position 2. Assuming the permutation to be tt=(23), 7 t -1 (G)= 00111 and 
the additive key is O: 00011 since 00111 = 2: 00100 ® O: 00011. 

Moreover, the seventh column allows more pairwise comparisons:. 


(plain) 1: 11111 (crypt) G: 01011 

(plain) 2: 00100 (crypt) F: 10110 

(plain) 1: 11111 (crypt) G: 01011 

(plain) V: 01111 (crypt) R: 01010 


(plain) 1: 11111 (crypt) G: 01011 
(plain) Q: 11101 (crypt) O: 00011 

(plain) R: 01010 (crypt) A: 11000 
(plain) Q: 11101 (crypt) O: 00011 


The transitions indicated by deviating bits are 3 4< 4 ~> i? —*3, 1 —> 5, 

to be completed by 5 —* 1 . Thus the permutation for the seventh column 

1 2 3 4 5 

is guessed to be ( )= (15) (234), and under this assumption the 

O o fi 1 

additive key can be calculated in all the four cases and is in each case the 
same, O: 00011, as is easily checked. 


Once the initial break was made, Beurling had no difficulty to find and use 
more cribs. In the end, he was able to reconstruct the T 52a/b machine 
completely and even had replicas built (Fig. 164 shows such an ‘apparat’). 


On June 17,1942, the Germans were warned of the break by Finnish sources, 
but did not react appropriately. By mid-September 1942 the Swedes were 
even able to penetrate the T 52c and later the T 52ca traffic. The break ended 
temporarily in 1943 when the Germans changed the indicator procedures, and 
failed finally with the introduction of the improved T 52d. However, the Swe- 



Fig. 164. Geheimschreiber replica ‘apparat’ of the Swedish cryptanalytic bureau FRA 
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dish cryptanalysts Carl-Gosta Borelius, Tufve Ljunggreen, and Bo Kjellberg, 
under the leadership of Lars Carlbom, broke in April 1943 even the Lorenz 
SZ 40 (Swedish codename QEKZ) machine. Intercepted radio traffic from the 
improved SZ 42 machine was solved by FRA in September 1943. 


19.3 COLOSSUS 


After the structure of the Tunny machine was unveiled in Bletchley Park (the 
Sturgeon machine was captured later in North Africa), the first practical task 
was to find the keying sequence, i.e., the wheel patterns for a whole period 
ijj for six months, \ for one month, p for one day; by 1944 for all wheels every 
day. This was, when possible, achieved by ‘dragging’ probable words (‘cribs’) 
along the cryptotext. The British in Bletchley Park called the determination 
of the periodic 0-1 sequences produced by the cams on the keying wheels 
‘wheel breaking'. It was mainly this wheel breaking that was done by hand in 
Tester’s section ‘Hut F’ by a group of people called the ‘Testery’, including, 
apart from Tutte, the famous mathematicians M. H. A. Newman (1897-1984) 
and J. H. C. Whitehead (1905-1960); then Peter Hilton, Donald Michie, and 
Shaun Wylie, patronized by Alan Turing; but also people like Roy Jenkins. 

Wheel breaking was the most difficult and demanding of all the problems 
encountered in breaking Tunny. Wheel breaking was neccessary in particular 
for the frequently changing p- wheels. Once the cam patterns were known, 
the remaining practical task was to find the right initial setting of the keying 
wheels for each message (the ‘wheel setting’). Once this was achieved, a 
replica of the Tunny machine (built by Sid W. Broadhurst and Frank Morrell 
and finished by June 1942) printed the decrypted plain text. 


% 

V 


19.3.1 The Turing—Newman test. The first pro¬ 
cess to be mechanized was wheel setting. This work 
was initiated and guided by Maxwell Herman Alexan¬ 
der (Max) Newman, who was convinced of pure crypt¬ 
analysis and felt uncomfortable working with hand 
methods. His group was called the ‘Newmanry’. 

Wheel setting in the parlance of Max Newman meant: 
the reconstructed key stream and the particular cryp¬ 
totext stream had to be brought into phase, with the 
assistance of some test such as a Friedman Kappa test 
or Turing’s refinement thereof—Turing’s ‘method of 
scoring’, as Jack Good called it, his ‘deciban theory’, 
derived from ENIGMA Banburismus (Sect. 19.4.2). 

The Kappa test was discovered in the early 1920s by the American cryptolo- 
gist William F. Friedman. Kappa is the ‘index of coincidence’ (often abbrevi¬ 
ated I.C.) between two texts, i.e., the number of coinciding characters divided 
by the total number of characters. While Kappa for two arbitrary cryptotexts 
(based on an alphabet of 26 characters) is normally close to 1/26 = 3.8%, 


Max Newman 
(1897-1984) 
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it is usually much higher when two texts are in the same natural language, 
even if they are encrypted (in-phase) by the same key, about 7% for English 
or German. For details, see Sect. 16.1. 

Some notational details are now required. Two 5-bit letters a and b coincide 
if and only if their sum modulo 2 is (00000), i.e., a © b = 0 . Thus, counting 
coincidences between two texts amounts to counting the number of occur¬ 
rences of 0 in the sum of the two texts. Note that for addition modulo 2, 
as said before, subtraction coincides with addition.' Thus, two 5-bit letters 
a and b coincide if and only if their difference modulo 2 is (00000). 

To demonstrate this in the special case that is of interest here, we take some 
German text 8 of 440 letters together with this text shifted by one letter. 
Next we form the delta. Coincidences, marked by an asterisk, occur where 
the delta is 0 . 

d e r 1 2 f u e h r e r 1 2 h a t 1 2 f u e r 1 2 d i e 1 2 we i t e r e 1 2 k 
er 1 2 f uehrer 12 hat 1 2 f uer 1 2 d i e 1 2 we i terenka 

4 j y 3 cl r i y v j j y 3 t q wk 3 cl r i j y 3 f k u v 3 q 1 u p z j j v 3 j a 

a mpf f ue hr ung1 2 auf 12 si zi 1 i e n1 2 f o1 gendel2r 

mp f f ue hr ung12 auf 1 2 s i zi 1 i e n1 2 f o1 gendel2ri 

1 r 3 0 r i y v f j p s 3 u 2 r 1 3 e a q q h h u f w3 dyr 4 3 f s 4 v3 c n 

* 

i chtl i ni e n 2 b e f o h 1 e nyy 2 3 3 qml 1 1 2 nac hi 2 aus f 

c lit 1 i ni e n2 be f ohl e n y y 2 3 3 q ml 1 1 2 n a c h 1 2 a u s f a 

4 g 2 5 h r r u f 4 x o n y n i wfb0zl0olcf034kfgj 3 u 2 5 4 c 

* * * 

a 1 1 1 2 cl e r 1 2 ma s s e 1 2 cl e r 1 2 i tal i e ni schennkra 

1 1 1 2 cl e r 1 2 ma s s e 1 2 de r 1 2 i tal i e ni schennkrae 

z 0 f 3 f 4 j y3 O 1 i 0 2 v 3 f 4 j y3 5 pwz liuf raj g y f w3 j scl5 
* * 

e f t e 1 2 i ml 2 a n g r i ffsrau ml 2 r e i c h e n 1 2 d i e 1 2 de 

f t e 1 2 i ml 2 a n g r i ffsrau ml 2 r e i c h e n 1 2 d i e 1 2 d e u 

nxz v3 5 ga3 ukpt nj 04kd23a3cj u 4 g y f w3 f k u v 3 f 4i 

* 

ut s che ni2 kr ae f t el2 al 1 ei ni2 auc hi 2 bei l2 g r u 

tscheni 2 kraeftei 2 al 1 ei ni 2 auc hi 2 bei l 2 g r u p 

q y j g y f w3 j s d 5 n x z v 3 u z 0 wur w3 u 2 d g j 3xoub3vtfz 

* 

ppe n we i s er 1 2zus a mine n f a s s u n g 1 2 n i c lit 12 me h r 

pen we i set I2zusa mme n f as s ung 1 2 ni c lit 12 me hr 1 

Oqf ll ua2j y3yp5i lOxfeci 0 5 j ps34r 4g2k3oxyvy 
* * * 

1 2 a u s y 1 2 u ml 2 d e n 1 2 g e 1 ande t e nl 2 f e i n d 1 2 i ml 2 

2 aus yl 2 u ml 2 de nl2 ge1 ande t e nl 2 f e i n d 1 2 i ml 2 a 

3 u 2 5 t r 3 a 3 a 3 f 4 fw3 v 3 wz k s 4 z z f w3 dnur s p3 5 ga3 u 


7 


We shall use the symbol ® meaning addition mod. 2 as well as subtraction mod. 2 . 
From July 13,1943, Generalfeldmarschall Keitel to Generalstab des Heeres. 
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angri ff I2i nl2 das 12 me erl2zurueckzuwe r f e n x 
ngri f f I 2 i n 1 2 d a s 12 me erl2zurueckzuwe r f e nx 1 

kptnj ol 35r w3 f ri g 3 ox 0 j y3ypf f i kevphl j unf z5 

* * 

1 2 mi t 1 2 we i t e r e n1 2 f e i ndl andunge nl2 auc hi 2i 

2 mi t 1 2 we i t e r e n 1 2 f e i ndl a n d u n g e n 1 2 a u c h 1 2 i m 

3 O g p k 3 q 1 u p z j j f w3 d n u r s 3 z k s c j p 3 f w3 u 2 d g j 3 5 g 


ml 2 we s t enl 2 de r 12 i ns e 1 12 muss I2gerechnet 12 
1 2 we s t enl 2 de r 12 i ns e1 12 mus s 12 ge r ec huet 12w 

a 3 q 1 2 y z f w3 f 4 j y 3 5 r d 2 wf 3 O 3 5 0 g 3 v 3 j j k g o f z k 3 q 

There are, in fact, only 14 letter coincidences for a length of 440, or 3.2%. 
Indeed, the index of coincidence for texts shifted by one place is lower than 
the usual Kappa of 7.6% for the German language. However, if a count 
is made of the occurrence of all the 32 symbols in the delta, the following 
surprising distribution is obtained: 

0abcdefghijklmnopqrstuvwxyz2345l 

14 10 2 6 11 3 33 15 5 10 30 14 7 0 10 9 13 9 17 9 5 22 14 17 7 21 16 12 61 17 15 6 

f occurs with 7.5% and j with 6 . 8 % , and 3 even with 13.9% (while the 

average is 1/32 = 3.125%). Thus, the differences of two consecutive letters 
show a much bigger deviation from randomness than the German text itself. 
Moreover, subtracting two consecutive letters was the simplest thing one 
could do by machine operation. This starting point of Tutte’s Delta process, 
devised in October 1942, was described by Max Newman in his 1943 notes. 

The count should be made also for each one of the five tracks of impulses. It 
results in significant deviations from randomnes, too: 

track: 12345 

number of 1: 61.6% 60.5% 43.4% 57.3% 47.0% 

number of 0: 38.4% 39.5% 56.6% 42.7% 53.0% 


19.3.2 Newman’s Theorem. For the following, we define 9 for plain 
letter stream p, cipher letter stream c and key stream k 

A p = p(Bp ( ' 1 ' > , Ac = c®c( 1 ) and Ak = k ® , 

where p- 1 / c^ and A/ 1 ) are p, c, k shifted by one position. 

Now c = p ® k is equivalent to p = c © k 

and Ac = Ap © A k is equivalent to Ap = Ac © A k . 

The key stream k for the Tunny machine is a sum of the key stream y 
generated by the Chi- wheels and the extended key stream generated by 
the action of motor wheels p, \, /j -2 moving the Psz-wheels. Thus with 

k = x© , 

p © •/> is equivalent to c © y and Ap © Atf) is equivalent to Ac © Ay . 


9 In the B.P.-based literature, p , c, k , x , '*/’ , h are often represented by P, Z, K, X, S, D 
(D denoting “de-chi”, meaning “freed from Chi'). 
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Note that while the periods of the five CTw-wheels are fixed and can be 
assumed to be known, the ^-streams are non-periodic and depend on the 
cam patterns of the two motor wheels. However, whenever the motor wheels 
are not moving, then there is a (00000) = 0 in the A^-stream. It is this that 
makes the Delta process so important: With the knowledge of y alone—the 
knowledge of the Chi -wheels cam patterns—by forming in phase c ® %, a 
mutilated plaintext (‘pseudoplaintext’) h = p ® ip will be obtained, and 
since Ah = A p ® A ip , even Ah = A p whenever Aip = 0 , i.e., whenever the 
motor wheels are not moving. 

In simple words: The zeros in the Aip stream acted as windows in the 
Ah stream, through which some A p letters (delta-eel plaintext) could be 
glimpsed 10 . Therefore, wheel setting was done by forming c® yW for all 
phase-shifts i , observing the scores of deviation from randomness. 

19.3.3 German attempts to keep randomness. The German side was 
worried about this decomposition of the task, in particular given that for each 
one of the CTw-wheels the constant period could be discovered by the enemy 
by means of a small number of tests, say 41 for the wheel \i- Therefore, start¬ 
ing in March 1942 and regularly by 1943, the cam pattern of the motor wheels 
and of the Psi -wheels was chosen so that A'tp was ‘close to random’, i.e., for 
ipi, tp 2 , ip 3 , ip 4 , fpb the probability of Aipi = 1 and of Aipi = 0 did coincide, 
Prob[A'0j = 1] = Prob[Ai/4 = 0 ] = | . 

There is a basic theorem (set out in handwritten notes by Newman, whose 
function appears to be that of an operating manual for the Heath Robinson) 
on the probabilities of the occurrence of 0 and 1 in a mod 2 sum of two bit 
streams a, b: 

Prob[a® b =0] = \ + 2 • (Prob[a = 0]-f) • (Prob [6 = 0]-±) 

Prob[a® 6 = 1] = \ - 2- (|-Prob[a = 1]) • (\ -Prob [6 = 1]) 

Proof: Since a ® b = 0 if and only if (a = 0 A b = 0) V (a = 1 A b = 1), 
Prob[a ® b = 0] = Prob[a = 0] • Prob[ 6 = 0 ] + Prob[a = 1] • Prob[ 6 = 1 ] 

= Prob[a = 0] • Prob [6 = 0] + (1 — Prob[a = 0]) • (1 — Prob [6 = 0]) 

= 2 -Prob[a = 0] -Prob[6 = 0] — Prob[a = 0] Prob[6 = 0]) + 1 
= \ + 2 • (Prob[a = 0] -Prob[6 = 0] — \ Prob[a = 0] — \ Prob[6 =0] + j) 
= i + 2 • (Prob[a = 0] - ±) • (Prob[6 = 0] - |). 

Similarly for Prob[a ® b = 1] . cxi 

According to Newman’s Theorem, the probability of the occurrence of 1 in 
a modulo 2 sum of two bit streams is 1 , if it is \ for one of the bit streams. 
It followed that for i = 1,2, 3,4, 5 

Prob[ Api ® Aipi = 1] = \ 

and thus 

Prob[ Ac* ® A Xi = 1] = Prob[ Ac* ® Ay, = 0 ] = \ ■ 

10 Assuming, for example, that the probability for the motor wheels moving is |, then in 
the average every fourth letter of Ah coincides with the plaintext letter from A p. 
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19.3.4 British countermeasures. Presumably, achieving this balanced 
situation on each bit stream was a motivation on the German side for the 
introduction of the motor wheels. But there was a snag in it: Tutte revealed, 
examining two bit streams together, the surprising fact that although each 
one was in itself ‘close to random’, taken together they can provide informa¬ 
tion about the corresponding pair of Chi- wheels. 

This can be seen mathematically as follows: Since 

Prob[A'0j=l] = Prob[A'i/>j=l]-TO, where m = Prob[motor wheels move] < 1, 

from \ = Prob[A'0j=l] • m and i = Prob[Ai/r,'=l]-TO 

simply comes 

Prob[A-0 i =l] = Prob[A^- =1] = g, where q = ^ > \ , or m ■ q = \ , 

which means that there is a common value q> \ for all five streams 11 . With 
the typical value of m = Prob[motor wheels move] = || = 0.703, the choice 
q = Prob[A-0j=l] =0.71 was indeed made in March 1942 on the German 
side, while in August 1941 q = Prob[A-0,=l] « ^ had been observed in B.P. 

Now, when using two bit streams, denoted by the subscripts i, j , 

Prob[A/ij® Ahj = 0] = Prob[(A'0j ® A® (A pi ® A pj) = 0] 
is to be worked out. According to Newman’s Theorem, 

Prob[A-0j ® A ipj = 0] 

= \ + 2 • (Prob[Ai/g =0]-|) • (Prob[Ai/>j =0]-^) 

= i + 2 .(g-i) 2 . 

Furthermore, A^ ® Ai/jj = 0 results if 
either the wheels do not move, probability (1 — m), 

or they do move and A^®A0^ = 0 , probability m■ (| + 2- (q — |) 2 ). 
Altogether Pro^A^j ® A -ipj =0] = (1 — m) + to • (g + 2 • (q — |) 2 ). 
But, surprisingly, m drops out since l = Prob[A^j=l]- to, or m ■ q = -j: 

(1 - to) + to • (g + 2 • (q - \) 2 ) = l + m- 2- g-(g — l) = l + (g — l) = g. 
Therefore, 

(*) Prob[Ai/>j ® A %j)j = 0] = ProbfAV’j =1] = q > \ , 

which shows that A^ ® Atpj is not random. 

Furthermore, let r be the proportion of repeated letters in the plaintext. 
Then A pi ® A pj = 0 can happen in the following ways: 

11 To avoid this, the German side should have used five motor wheels instead of the single 
one /j .2 ■ 
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(1) A pi = 0 and A pj = 0 because of a repeat, with probability r ; 
there remains a non-repeat with probability 1 — r , equally divided among 
the four cases (0,0), (0,1), (1,0), (1,1) of values of (Api,Apj ), thus 

(2) A pi = 0 and A pj = 0 , with probability ; 

(3) A pi = 1 and A pj = 1 , with probability Ap ; altogether 

(**) Prob[Apj © A Pj = 0] = r + ^ ^ ^ . 

By virtue of Newman’s Theorem, from (*) and (**) 

Prob[A/rj © Ahj = 0] = \ + 2 • (q - |) • (pA — §) = \ + {<1 ~ |) • r > \ , 

since r > 0 for meaningful plaintext streams Api and A pj . 

This shows that indeed the sum of two A/i-streams is not random. In simple 
words, it means that B.P. had found out that Tunny still was not safe and 
that there was a way to break it in a large-scale, machine-supported attack. 

The deviation from 1 (in B.P. jargon ‘bulge’) is proportional to the deviation 
from | of Prob[Af/jj=l] and to the proportion r of repeated characters in 
the plain text. 

Typically, q = 0.75, r = 0.2 and thus Prob[A/ij ©Ahj = 0] = 0.55. Hence, 
a probably correct wheel setting is obtained if for a text of length n the score 
for 0 in a stream A hi © Ahj is about 0.55 • n, not too far away from the 
random case 0.5 • n . This shows that wheel setting by testing two tracks was 
still not a particularly stable procedure. 

19.3.5 Further motivation for creating the Newmanry. When this 
problem analysis was completed by Newman, it was decided in December 
1942 to look into the possibility of setting the C/w-wheels for individual mes¬ 
sages by forming c © x * for all phase-shifts i , once the cam patterns of 
the CTw-wheels had been recovered in the Testery. Newman at once commis¬ 
sioned an electro-mechanical machine, the ‘Heath Robinson’. 

The hand methods used so far required a minimum message length of about 
4000, and relied on the information contained in the message indicators. 
However, starting in October 1942, the Germans abolished 12-letter indica¬ 
tors, ‘noticing that they were giving away information that need not be given 
away’ (Tutte). Instead, message indicators were taken from a numbered list 
(the ‘QEP’system) and the British had to rely completely on depths pro¬ 
duced by the frequent sending of as many as 10 messages on the same QEP 
number. This was first observed on the new links Codfish (Saloniki- Berlin) 
and Octopus (Army Group A - Fiihrerhauptquartier [Hitler’s headquarters]). 
The Vienna Athens link closed down in October 1942. 

Starting in August 1942, the German side was instructed to use meaningless 
text (‘ QuatscK) at the beginning of a message to prevent stereotyped begin¬ 
nings as cribs. A deciphered intercept from March 7,1943 on the line Squid 
(Army Group Slid in the Ukraine) shows this, and also the stupid practice 
of text doubling: 
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schornsteinfeger22 

anna3ff2nr3m2yyq2umemrf2vv2kkl2 
anna3ff2nr3m2yyq2umemrf2vv21112 
havxd2332qiwyr2tmfm2qrfp2vv2kkl2 
havxd2332qiwyr2tmfm2qrfp2vv21112 

2an2art3ml2kdr3ml232e212beim2pz3ml2aok232onl22h3ml2gr3ml2sued23w2kkl2 
2an2art3ml2kdr3ml232e212beim2pz3ml2aok232onl22h3ml2gr3ml2sued23vv21112 
332wl2schw3ml2art3ml2abt3ml2332uet2muszte2drei2zwoelftonner2zugmaschinen2mit2 
genehmigung hoeh3ml2art3ml2kdr3ml223epi22zur22332rml2pz3ml2div3ml2abstellen3 
ml2alle2bemuehungen2des2battr3ml2chefs2zugmaschinen2zurueckzubekommen2sind2ge 
scheitert3ml22 

In readable form this message—a complaint from an artillery colonel—says: 

anna/S nr. 661 7.3.43 havxd 18264 5.3.1430 
an art. kdr. 3 beini pz. a ok. 1, h. gr. sued 

2 schw. art. abt. 735 muszte drei zwoelftonner zugmaschinen mit 
genehmigung hoeh. art. kdr. 308 zur 4. pz. div. abstellen. alle bemuehungen 
des battr. chefs zugmaschinen zurueckzubekommen sind gescheitert. 

[2nd battery artillery detachment 735 was ordered to hand over three lorries 
to the 4th armored division and has not got them back.] 

19.3.6 The electromechanical Robinsons. The task of setting the Chi- 
wheels required that both the cipher text and the prepared key text were 
running through a machine simultaneously, and many times over, since all 
phase shifts had to be investigated. The problem could be treated function¬ 
ally by what had been called on the German side the ‘saw-buck’ principle: 
shifting the key against the cryptotext after each round by one step. 12 The 
Newmanry was formed early in 1943. In April 1943, a first model of a fast ma¬ 
chine, ‘Heath Robinson’, went into operation. Its two loops, one for the cryp¬ 
totext, one for the key, were punched on tape. Some more Robinsons were 
built, including ‘Peter Robinson’, ‘Robinson and Cleaver’, ‘Super Robinson’. 
Normally, Robinson was started with the wheels Xi and Xii following an 
early suggestion of November 1942 by Tutte; with a cipher of length 3000, 
41 • 31 • 3000 logical comparisons were needed. It turned out that a ciphertext 
should have a minimum length of about 2500 to be successful. Similar work 
was required to find the wheel setting for X3, X4 an d X5- Success was by no 
means always guaranteed, the statistical properties of the messages varied 
considerably. 

19.3.7 The electronic Colossi. Keeping the two tapes of the Robinson 
synchronized was problematic and also led to mechanical wear. Thus, the en¬ 
gineer Tom Flowers, assisted by Sid Broadhurst, Bill Chandler and Allen 
Coombs developed an improved version, where the key function was internally 
generated by electronic circuitry and the other tape—it was thousands of 
characters long—was read photoelectrically at a speed of 5 000 characters 
per second. Tapes up to 25 000 characters long could be put on the pulleys. 

12 Actually, apart from the normal, ‘long’ runs testing two channels, so-called ‘short’ runs 
using four already-determined wheel settings and testing the fifth channel could some¬ 
times be used. 
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Fig. 165. Partial view of Colossus (presumably Colossus VI). The closed 
loop tape for the cryptotext, the plugboard field, and an array 
of tubes, presumably of type Milliard EF36, are clearly visible. 

The internal electronic circuits with 1500 tubes involved 12 thyratron ring 
stores 13 of a length between 23 and 61, corresponding to the keywheels. One 
valve in a particular ring was conducting at any given moment, then its 
neighbor took over, at a clock rate of 5000 characters per second. The tape 
reader could also handle 5000 characters per second—in five parallel channels 
25 000 bits per second. 14 Colossus allowed flexible plugboard programming of 
elementary Boolean operations and binary (biquinary) arithmetic, in 5-fold 
parallelization. The improved Colossus II with about 2 400 tubes was also 
able to perform conditional branching, and it had a ‘logic switching panel’ 

13 Johnson was misinformed in 1978 and assumed that Colossus was directed against the 
Siemens machine T 52. He therefore mentions 10 thyratron rings instead of 12, correspon¬ 
ding to the 12 keywheels of the SZ40. The correction was made in 1980 by Rex Malik. 

14 D. Michie claims that “in the Mark II version of the machine an effective speed of 25 000 
char/sec was obtained by a combination of parallel operation and short-term memory” . 


Most important was that the new machine used electronic switching circuits 
and was accordingly very fast. Moreover, since preparation of a key tape 
was no longer necessary, the key could be changed very quickly, if required. 
In December 1943, the prototype model, dubbed Colossus I, was ready. By 
February 1944 it was operational against Tunny and successful against the 
Rome—Berlin link Bream. It was the first functioning electronic computing 
device in the world. On June 1, 1944, just in time for the D-Day landings in 
Normandy, the improved Colossus II came into use (Fig. 165). 
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for presetting and manually changing Boolean operations during the run. A 
‘long’ run with the 41 • 31 • 3000 logical operations mentioned above took 12 
minutes. Ten Colossi were built, two more were planned. 

19.3.8 Rectangle method. The Colossi were more versatile than the 
Robinsons. According to Jack Good, Donald Michie showed in 1944 that, 
thanks to the flexible plugboard programming, the Colossi could also be used 
for ‘wheel-breaking’ the Chis. This normally involved more than 20 different 
runs on Colossus, and took several hours of continuous effort. Typically a 
cryptotext of 15 000 letters was required. 

This process, called the ‘rectangle method’ (since two wheels were involved), 
investigated the indexes of coincidence (in B.P. jargon ‘cross-products’ or 
‘flags’) between the pseudoplaintexts A hi, A hj. This was done by counting 
the number of occurrences of 0 in A ft*® Ahj , i.e., the number of coincidences 
in the streams Ac, ® A Cj (read from punched tape) and A \i ® A \j (the cor¬ 
responding pulse streams being generated internally). Frequently Afti, Aft 2 
were chosen, resulting in a 41 x 31 rectangle of the positions of the yq-wheel 
and the x 2 -wheel. For a cipher text of length about 15 000 characters, the 
period of 31-41 = 1271 in the movement of the two C7u-wheels allows just 
12 complete tests (12-1271 = 15 252). The balances of the scores for 0 and 1 
were filled into the 1271 cells (u — v for u Os and v Is). This was the basis 
for an iterative process of approximating the cam patterns (too complicated 
to be described here), which converged for long enough cipher texts. 

In another typical situation, the indexes of coincidence between Afti, Aft 2 , 
A/7.3, A/14 on the one side and Aft.5 on the other side were formed, resulting in 
four rectangles: a 41x23 rectangle, a 31x23 rectangle, a 29x23 rectangle, and 
a 26 x 23 rectangle. This produced a tentative cam pattern for the % 5 -wheel 
and embryonic parts of the cam pattern for the other %-wheels. 

For making rectangles, a small special machine, called Garbo, was used. 
There were also specialized counting machines and other auxiliary machines. 
Proteus was used for short cribs, the crib was dragged through a difference 
of two isologs. Aquarius was used for dealing with pauses during an auto¬ 
transmission while the tape was reset or replaced by another tape. Miles 
could add two streams (modulo 2); impulses could be permuted by plugging. 

19.3.9 Crib runs. Plaintext-plaintext compromises of the key, such 
as ZMUG that started the Fish success, occurecl continually until mid-1944. 
The first step, superimposing two cryptotexts encrypted with the same key 
and reconstructing the two plaintexts (‘cribbing’), was usually done in the 
Testery by hand, much as Tiltman had done. Mechanical support was given 
at times in the form of so-called ‘crib runs’ on the Robinsons and the later 
Super Robinson (also called Double Robinson, or (US Jargon) Dragon, from 
‘dragging text’). Next-to-obvious cribs like 

2angriff2 2der2feind2 2taetigkeit2 2aufklaerung2 2heeresgruppe2 

([attack] — [the enemy] - [activity] - [reconnaissance] — [army group]) 
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were a tremendous help, as were typical CCITT 2 forms produced by letter- 
figure-shifts such as 

3ml2armee (in readable form , u armee) 3ml2div3m (in readable form , u div.) 
3ml2pz3m (in readable form . u pz. ) 12roem23 (in readable form u roeraut, 

where f means Figure Shift). 

‘Cribbing’ produced the key k, which in a second step had to be decomposed 
into its x - and ip- part, k = x © V’ • 

This was a more time-consuming task, as Tutte had experienced. However, 
the periods of the Chi wheels and of the Psi wheels were already known. 

19.3.10 5202. The US Army used the 5202, a 35-mm-film COMPARATOR 
(17.3.4) for sliding Tunny text against a known key sequence, capable of com¬ 
plex comparisons and statistical tests; it was not operational until April 1945. 

19.3.11 Evaluation of the British cryptanalytical attack on Tunny. 

Newman’s success was based on Tiltman’s and Tutte’s work and on the sup¬ 
port Tester and his ‘Testery’ gave with manual and linguistic methods (and 
also by deriving plaintext p from ‘pseudoplaintext’ h, as was done in the 
Turingery). Essential, however, was Newman’s belief in pure, mathematical 
cryptanalysis. Lack of insight on the German side also contributed to the 
success. Above all, while the CCITT 2 code was already ill-suited to the 
needs of cryptographic security, the German predilection for doubling made 
the situation worse. And the use in the Lorenz machine of five pairs of ci¬ 
pher wheels, each one for a single-bit-channel, allowed what was, in principle, 
an enormous cryptanalytic problem to be decomposed into five independent 
problems, each much simpler. This weakness was only superficially cured by 
the German’s introduction of non-periodic movement of the Psz-wheels by 
means of the motor wheels, and the possibility of the subtle analysis that the 
British carried out was overlooked. It would have been better if the motor 
wheels had not stopped the ■i/'-wheels, but had made them move two steps 
from time to time. Likewise, it would have been better, as said before, to use 
five motor wheels, one for each track, instead of the single one p .2 ■ German 
arrogance prevented this. In fact, the introduction of the motor wheels was, 
compared with the Siemens T 52, an ‘illusory complication’. Donald Michie 
remarked: “If the motor wheels had been omitted from the German design, 
it is overwhelmingly probable that the Fish codes would never have been 
broken”. 

It is no denigration of the British success to state that the Colossus machines, 
the first electronic computers, were mainly oriented towards a very limited 
set of functions, i.e., computing only in a very special sense, and that their 
control was roughly at the same level as the machines Z3 (1941) and Z4 
(1944) of Konrad Zuse (1910-1995), which were loop-controlled, too; Zuse’s 
machines, however, were not electronic. 

Whether the Colossus machines were used for tasks other than ‘wheel-setting’ 
and ‘wheel-breaking’—they could well have been—remains open. 
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19.3.12 The importance of the break. In the USA, there was no elec¬ 
tronic cryptanalytical development comparable to the British Colossus until 
mid-1944. Vannevar Bush’s attempts to build a similar electronic machine, 
called the COMPARATOR, suffered from a number of engineering failures. 
But “by the time Japan surrendered, the Americans were building electronic 
machines [the 5202 machine] using twice as many tubes as the British Colos¬ 
sus” (Burke). Actually, the non-cryptanalytic ENIAC, finished in February 
1946, had approximately ten times as many valves. 
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Fig. 166. Some wireless teletype connections with SZ40, SZ42, 

broken between November 1942 and July 1944 by Bletchley Park cryptanalysis 


After 1943 the British supplemented the ENIGMA stream of messages mainly 
from the German Air Force with their successful breaking of the German 
Funkfernschreibverbindungen (wireless teletype connections) within the high¬ 
est command structure, which mainly used SZ40 and SZ42. Although the 
decryption normally took up to a few days because wheel breaking was in¬ 
volved, the strategic intelligence received in this way was worth the effort. 

Tunny breaks (Fig. 166) included (to mention only a few) the Codfish link be¬ 
tween the Berlin center in Strausberg (‘HOSF’) and HGrE (Army Group E) 
in Thessaloniki (from November 1942) and the Herring link between HGrC 
(Army Group C of Field Marshal Albert Kesselring) in Rome and PzAOK5 
(Field Marshal Erwin Rommel’s Panzerarmee) in Tunis (from January 1943). 
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From May 1943 the Bream link between Berlin and HGrC (Army Group C) 
was broken, as was the Squid line between the Fuhrerhauptquartier cen¬ 
ter ‘ANNA’ near Konigsberg, operated by GenStdH (General Staff of the 
Army), and HGrSiid (Army Group South) in the Ukraine from March 1943. 
One important consequence was that the German attack against Kursk in 
July 1943 was a disaster. In 1944, these early breaks were supplemented by 
many more, among them the Jellyfish 15 link between Berlin and the OB West, 
(Supreme Commander West, Field Marshal Gercl von Rundstedt), and one in 
the Gurnard link between Berlin and the OBSudost (Supreme Commander 
South-East, General Alexander Lohr). The Germans were unsuspecting. 

The British had bad luck, too. On June 10, 1944, four days after the D-Day 
landings and ten days after Colossus II went into operation, they lost their 
entry into the link from Berlin to von Rundstedt and then in July also into 
the link from Berlin to Kesselring; only in September 1944 did they catch 
up again. These setbacks were brought about by a radical addition to the 
Lorenz machine—in the Tunny literature called ‘limitations’—similar to the 
Klartextfunktion ‘Plaintext Bit 5 Two steps back’ on the Siemens machine. 

When more and more Colossus machines came into use, their growing success 
against the SZ 42 came just in time to compensate for the growing difficul¬ 
ties in ENIGMA decryption. The British successes culminated in volume 
in March 1945; from then on the collapsing Wehrmacht no longer provided 
enough work for Bletchley Park. 

19.4 Adjustment ‘in Depth’ of Messages 

The examples so far invited immediate superimposition, since the cryptotexts 
were already in phase (‘in depth’)—as they were in the operation of the Swiss 
army ENIGMA, which used the same initial setting for all messages of one and 
the same day. If two cryptotexts are encrypted with different initial settings 
of the same (mechanically generated) key sequence, they must be mutually 
adjusted (‘fitted’) to be in phase for superimposition. This can be achieved 
as in Sect. 17.1 by a Kappa examination. The cryptotexts are presumably 
properly adjusted as soon as their mutual Kappa becomes maximal and is 
close to ns , which indicates whether the keys overlap at all. 

19.4.1 Direct use of the indicator for adjustment. Sometimes texts 
can be adjusted more simply. If for the encryption of a series of messages 
a frequently changing key is to be used, it may be recommended to start 
each message at a different key position of one and the same key sequence. 
Avoiding a prearranged protocol, it is common practice to indicate at the 
beginning of the message the starting position. This so-called indicator 
(German Spruchschliissel , not to be confused with discriminant, German 
(Schlussel-)Kenngruppe, which indicates the system to be used) may mean 


15 Jellyfish was considered in B.P., according to Jack Good, to be the least difficult to break. 
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anything from the page and line in a book used for the key text to the initial 
setting of the wheels of an encryption machine. This hides the key, of course, 
but it does not prevent direct adjustment, if from the indicators of two mes¬ 
sages their phase difference can be calculated or somehow determined—then 
it is only a complication illusoire, frequently overlooked. (In professional en¬ 
cryption, the indicator was therefore encrypted itself, as for example in the 
ENIGMA traffic.) 

19.4.1.1 A simple example deals with indicators for the superencryption of 
code. If the indicator simply shows the page and line in a book, only the 
number of lines per page has to be found out to calculate the phase shift— 
and even this number is commonly roughly known. This is the situation 
in the following example by Kahn of a 4-digit code with 4-digit numbers as 
additives, the indicator in front of the message comprising 2 digits for the 
page and 2 digits for the line. If five messages use the same page, say 62, 

(i) 6218 6260 7532 8291 2661 6863 2281 7135 5406 7046 9128 . 

(ii) 6216 3964 3043 1169 5729 3392 1952 7572 2754 7891 6290 . 

(iii) 6218 4061 6509 4513 1881 0398 3402 8671 4326 8267 6810 . 

(iv) 6218 5480 9325 3811 4083 5373 4882 8664 8891 6337 5914 . 

(v) 6217 7260 8931 8100 5787 6807 2471 0480 9892 1199 8426 . 

they can be adjusted immediately: 

123456789 10 

(i) 6260 7532 8291 2661 6863 2281 7135 5406 7046 9128 . 

(ii) 3964 3043 1169 5729 3392 1952 7572 2754 7891 6290 6719 7529 . 

(iii) 4061 6509 4513 1881 0398 3402 8671 4326 8267 6810 . 

(iv) 5480 9325 3811 4083 5373 4882 8664 8891 6337 5914 . 

(v) 7260 8931 8100 5787 6807 2471 0480 9892 1199 8426 1710 . 

For a frequency analysis of the columns of encicode groups there is usually 
not enough material. In the case of linear substitution, in particular for an 
additive superencryption in Z 10 , as should be assumed in the present case, the 
symetrie de position introduced in Sect. 18.6.2 can help. Thus, the difference 
method forms for every column a difference table, of which two examples (for 
the first and for the fifth column) are given in Fig. 167. 


0000 

5101 

2209 

1880 

8339 

0000 

9391 

6575 

1590 

4492 

5909 

0000 

7108 

6789 

3238 

1719 

0000 

7284 

2209 

5101 

8801 

3902 

0000 

9681 

6130 

4535 

3826 

0000 

5025 

8927 

9220 

4321 

1429 

0000 

7559 

9510 

8801 

5085 

0000 

3902 

2771 

7872 

4970 

3551 

0000 

6618 

5909 

2183 

7108 

0000 


Fig. 167. Two examples of difference tables 


In view of the large size of 8 difference tables, each with 20 essential entries, it 
is preferable to order all entries for finding multiple occurrences. Figure 168 
shows a suitable segment of such a table. 
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difference in Z^ 0 


8209 = 0480 - 2281 
8801 = 4061 - 6260 
8801 = 5373 - 1512 
9077 = 6509 - 7532 
9106 = 5914- 6810 
9220 = 5480 - 6260 
9220 = 1881 - 2661 
9308 = 3811 - 4513 
9391 = 1952 - 2661 
9391 = 6337- 7046 
9391 = 6810 - 1529 
9510 = 5373 - 6863 


column line 


6 (v)-(i) 

1 (iii)-(i) 

5 (iv)-(ii) 

2 (iii)-(i) 

10 (iv) — (iii) 

1 (iv)-(i) 

4 (iii)-(i) 

3 (iv)-(iii) 

4 (ii)-(i) 

9 (iv)-(i) 

10 (iii) - (ii) 

5 (iv)-(i) 


Fig. 168. Differences occurring, ordered 


If now a difference occurs repeatedly, then the subtrahends are to be sub¬ 
tracted in the respective columns. As shown in Fig. 169, for the difference 
8801, 6260 is to be subtracted in column 1, 1512 in column 5; likewise for 
the difference 9391, 2661 is to be subtracted in column 4, 1046 in column 
9, 1529 in column 10. Here these two subtractions cover already these origi¬ 
nating from the difference 9220, which is a confirmation that the phases were 
adjusted correctly. 



1 ’ 

2 

3 

4’ 

5’ 

6 

7 

8 

9’ 

10 ’ 

(i) 

0000 

7532 

8291 

0000 

9391 

2281 

7135 

5406 

0000 

2609 

(ii) 

5909 

5729 

3392 

9391 

0000 

2754 

7891 

6290 

9773 

0000 

(iii) 

8801 

6509 

4513 

9220 

3826 

3402 

8671 

4326 

1221 

9391 

(iv) 

9220 

9325 

3811 

2422 

8801 

4882 

8664 

8891 

9391 

8495 

(v) 

2771 

8100 

5787 

4246 

5909 

0480 

9892 

1199 

1480 

4291 


6260 



2661 

1512 




104 6 

1529 


Fig. 169. Partially reduced messages 


In the reduced columns in Figure 169, the placode groups 0000, 9391, 
9220, 8801, 5909 occur repeatedly. The groups in slanted typeface below 
the columns give the relative key. Further reductions (not listed here) are pos¬ 
sible, they bring all five messages into a monoalphabetically encrypted inter¬ 
mediary text, into a relative placode, which can be treated as in Sect. 18.3.2. 
The difference method does not always work as well as it may seem from this 
example. Frequently, only islands of interconnected groups are found at first, 
and further material is needed to join them into archipelagos. If the depth 
of the messages is insufficient, it may still happen that only partial solutions 
can be reached. Moreover, wrong coincidences of differences may occur. In 
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our example, the difference 1480 originates not only from the column 9: 
1480 = 8426 — 7046, but also from the column 6: 1480 = 4882 — 3402 . 
This would indicate a reduction of column 6 by 3402 . This, however, would 
introduce wrong placode groups, as one would find out later. 

19.4.1.2 The experts in the cryptanalytic service of the German Auswar- 
tiges Amt , Paschke, Kunze, Schaufffer, and Langlotz, had a long standing 
in the profession. They all joined the office in 1918 or 1919, first headed by 
Capt. Kurt Selchow. Adolf Paschke was the nominal head of the linguistic 
section. Dr. Werner Kunze, the mathematician (at that time a rarity in the 
cryptanalytic service) started attacking a French superencrypted code in 1921 
and finally reconstructed it in 1923; he resumed this work in 1927. Thus, he 
had long years of experience in stripping off superencryption of code. The 
unit was first camouflaged as Z section of Division I, Personnel and Budget; 
in 1936, a reorganization changed its name into Pers Z. 

The cumbersome stripping work was mechanically supported and semiauto- 
matecl. Hans-Georg Krug built such ‘robots’, as Kahn called them, partly 
from punch card equipment, partly from standard telecommunications com¬ 
ponents. With this help, Hans-Kurt Muller, Asta Friedrichs and others suc¬ 
ceeded in decrypting the diplomatic code of the USA, effective August 1941 
till the summer of 1943. Allen W. Dulles (1893-1969), who was then the 
US Secret Service boss in Europe, suspected nothing, until warned by Hans 
Berncl Gisevius from the German Widerstand. Similar ideas were followed 
at OKW /Chi, the cipher branch of the OKW, by the engineers Wilhelm 
Rotscheidt and Willi Jensen, as mentioned in Sect. 18.6.3. And the B-Dienst 
of the Kriegsmarine succeeded in solving the British naval cyphers. 

The Allies and some bureaus of the neutrals used the same techniques. “The 
single most common cryptanalytic procedure of the war [was] the stripping 
of a numerical additive from enciphered code” (David Kahn). 

In 1936, Kunze did fine work, too, in solving the Japanese ORANGE rotor 
machine (Sect. 8.5.7) and later the RED machine. Foreign Minister Joachim 
von Ribbentrop considered Pers Z as a special weapon in his struggle with his 
rivals “Reichsmarschall” Hermann Goring and “Reichsfiihrer SS” Heinrich 
Himmler. Notwithstanding this, OKW/ Chi and AA /Pers Z continued to be 
successful: Cort Rave (1917-2001) reported 16 that during the war his team, 
a group of linguists, technicians and mathematicians, solved day by day the 
PURPLE signals of the Japanese ambassador Hiroshi Oshima. 

19.4.2 The Polish ‘clock method’ and Banburismus at B.P. Direct 
adjustment was impossible for the indicator systems used with the ENIGMA. 
Thus something like a search for repetitions or a coincidence count along the 
lines discussed in Chap. 16 was necessary. The adjustment of the messages 
was Stage 1 of both the method (called the ‘clock method’) of Jerzy Rbzycki 
(1909-1942) and its elaboration by Turing in Bletchley Park (Jack Good), 

16 Personal communication via both Otto Leiberich and Jiirgen Rohwer. 
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where it was called ‘Banburismus’ because the long overlay sheets of paper 
(‘banburies’) containing the messages in a l-out-of-26 code (see Fig. 138) were 
produced in Banbury, a little town near Oxford. Turing and Good developed 
for the purpose of the ‘in depth’ adjustment a particular method of ‘scoring 
the repeats’ (in jargon called ROMSing), which means weighing the repeti¬ 
tions: intuitively one would expect that, for example, two bigram repetitions 
favored adjustment more than four monogram repetitions. Turing used a 
logarithmic unit [ban] (Chap. 12), a decimal counterpart to Shannon’s binary 
unit of information [bit]; 1 [ban] = 1/ I0 log2 [bit]. 1 [deciban] « 0.332 [bit], 
the practical unit used in Bletchley Park, corresponds to 1 [dB] (decibel). 

Turing and Shannon obviously developed their ideas independently and met 
only around the end of 1942. “ Turing and I never talked about cryptogra¬ 
phy” (Claude Shannon). It could well be, as Ralph Erskine thinks, that before 
July 1941 the cryptanalysts in Bletchley Park were unaware of the Kappa 
test of Friedman (Sect. 17.1) or the Phi test of Kullback (Sect. 17.5). In fact, 
Turing speaks of ‘repetition frequency’ (in his Treatise on the Enigma , the 
‘Prof’s book’, written in late summer or early autumn 1940), Jack Good and 
Hugh Alexander use the expression ‘repeat rate’ for Friedman’s ‘index of coin¬ 
cidence’. And Good uses ‘weight of evidence’ (Charles Saunders Peirce 1878) 
where Shannon speaks of the amount of ‘information’. Turings ‘Sequential 
Bayes R.ule’(Michie) contrasts Abraham Wald’s ‘Sequential Analysis’ of 1943. 

Anyhow, Turing was ahead of Friedman in one respect. Friedman’s philoso¬ 
phy was based primarily on investigating the coincidence of single characters, 
and even in Kullback’s work of 1935 only the coincidence of bigrams was given 
attention, the coincidence of trigrams was only marginally mentioned. How¬ 
ever, in the Prof’s book and in Alexander’s summary thereof, the probability 
for coincidence of n-grams with rather high n is discussed and the method 
of scoring is sketched. Clearly, two trigram repeats, for example, score more 
points than three bigram repeats, and for tetragrams and hexagrams Alexan¬ 
der mentions their probability which is about lOO-(^) 4 and 1500-(^) 6 . This, 
however, is much larger than («d) 4 or (/vd) 6 (with Kd ss 2 • A) one would have 
if four or six independent coincidences occured. Heptagrams (n= 7), octa- 
grams (n=8), and sometimes even enneagrams (n=9) turning up in examples 
are considered to give practically certainty about the adjustment differences. 

19.4.2.1 We now give two examples of Stage 2 of the method. The ‘clock 
method’ of Jerzy Rbzycki was intended for dealing with the indicator dou¬ 
bling system of the 3-rotor Wehrmach.t ENIGMA. The adjustment of the 
cryptotexts results in a difference in the plain indicators: If two messages are 
found with encrypted 3-letter indicators that coincide in the first two letters, 
say AUQ and AUT, then the plain indicators also coincide in the first two 
letters, and the difference of their third letters, i.e.,the shift for adjustment, 
equals the difference of Q and T. Thus, at least the fast rotor Rjy (the initial 
setting of which was indicated by the third letter of the message setting) was 
under observation. Deavours and Kruh give the following example: From sev- 
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eral pairs of ‘in depth’ messages, the third position of the encrypted indicator 
showed the following observed values: 


first message 

R 

F 

N 

B 

D 

T 

N 

M 

K 

M 

second message 

F 

K 

K 

Y 

Y 

Y 

Q 

Q 

O 

C 

adjustment difference modulo 26 

07 

12 

03 

11 

04 

02 

14 

21 

06 

06 


These data form two disconnected chains of 8 and 4 letters: 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

R...Q..F.M.CN. . K.O 

B.D.T.Y . 

Sliding the plaintext alphabet along the first chain, a non-crashing situation 
with a reciprocal pair, namely (k n) , is found for the following shift mod 26: 

uvwxyzabcd e f gh i j k lmnopq r s t 

R...Q..F.M . CN. . K.O 

Using all possibilities for reciprocal pairs, the following hull is obtained 
uvwxyzabcd e f gh i j k lmnopqr s t 

R...Q..FJM.B. . .CN.DKT.YU.O 
where, among the letters J B D T Y U that appear additionally, B D T Y 
have the correct relative distance that is found in the second chain. 

There are the seven 2-cycles (bf)(cj)(dm)(kn)(ot)(qy)(ru). Thus, fourteen 
possible starting positions of the fast rotor are revealed by the fourteen cases 
BCDFJKMNOQRTUY of the third letter of the encrypted message setting. 

We shall see how for the rotors I ... V the position of one notch (Sect. 8.5.3) 
could be determined, and thus which rotor was used as the fast rotor. This 
meant in the Polish bomba (19.6.3.4) and with the Zygalski sheets (19.6.3.5) 
a reduction in the number of rotor orders to be tested from 60 to 12 = 4 • 3 . 
19.4.2.2 The situation is not very different with the Navy indicator system, 
which was the object of Turing’s elaboration of Rbzycki’s clock method. 
Again, if a message pair is found with ‘ Verfahrenkenngruppen ’ (i.e., encrypted 
message settings, see Sect. 19.6.4.1) that coincide in the first two letters, say 
BBC and B B E, then the message settings also coincide in the first two 
letters, and the difference of their third letters, i.e., the shift for adjustment, 
equals the difference of C and E. 

The following example goes back to a 1945 report by A.P. Mahon that was 
recently released: From several pairs of messages adjusted with the Banbury 
sheets, with the following pairs of nearby encrypted message settings and 
corresponding adjustment differences mod 26 


BBC 

BBE 

02 

ENF 

EPQ 

07 

RWC 

RWL 

13 

I US 

I UY 

03 

Z DR 

Z I X 

05 

S UD 

S WI 

23 

P I C 

P NX 

21 





the third position of the encrypted indicator shows the following values: 

first message setting C C R C F S D 

second message setting E L X X Q Y I 

adjustment difference modido 26 02 13 05 21 07 03 23 
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The first four of these data form a chain of the letters R X C E L : 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 

R.X . . . . C . E.L . . 

Sliding the plaintext alphabet along the chain until a non-crashing situation 
is found, the following shift modulo 26 is possible: 

tuvwxyzabcde f gh i j k lmnopqr s 

R.X . . . . C . E.L . . 

Forming the hull of reciprocal pairs and using in addition the remaining three 
data, a non-crashing solution is obtained 

tuvwxyzabcde fghi j k lmnopqr s 
RS..YXI..DCFE.. Z ..Q....LTU 

There are seven 2-cycles: (cd)(ef)(iz)(lq)(rt)(su)(xy). Thus, fourteen 

possible starting positions of the fast rotor are revealed by the fourteen cases 
CDEFILQRSTUXYZ of the third letter of the encrypted message settings. 

19.4.2.3 Now comes Stage 3. In the second example, for the pair (RW C, 
R W L) of encrypted message settings the plain message settings are of the 
form (**d, **q). Stephen Budiansky writes: “The brilliant part of Turing’s 
method 1 ' was the next leap”. Mahon describes it as follows: The turnover 
notch was located at a different position on the various rotors. On rotor IV, 
for example, it occurred between J and K (see Sect. 8.5.3). He continues 
to show that this leads to a contradiction, since the transition at J—>K lies 
between cl and q and would mean a turnover of the middle wheel. Thus, 
rotor IV is ruled out as the fast rotor; likewise rotor II with a transition at 
E —> F and rotors VI, VH and VEH with a transition at M —> N. 

Indeed, the ‘clock method’ and Banburismus at B.P. served to rule out rotors 
in the rightmost position and thus to reduce drastically the number of rotor 
orders to be tested: usually for the Navy ENIGMA with luck from 336 to 
42 = 7-6, otherwise (i.e., in the case of rotors VI, VH, VUI) to 126 = 3-42; for 
the Army and Air Force ENIGMA from 60 to 12 = 4-3 . By more sophisticated 
reasoning, sometimes in addition rotors could be excluded as a middle rotor. 

19.4.2.4 Banburismus was an essential help at B.P. until September 1943, 
when enough Turing-Welchman BOMBEs were available. Joan Murray nee 
Clarke (1917 -1996) is said to have been one of the best Banburists in B.P. 
(Alexander). But “to use Banburismus procedure [for Naval ENIGMA] the 
codebreakers needed to know [a large part of] the content of the bigram 
tables. ... It was November 1940 before the Banburismus procedure helped 
to break a Naval Enigma setting for the Erst time. Three days were broken: 
April 14, May 8 and June 26,1940” (Hugh Sebag-Montefiore). Unfortunately 
it turned out that a new set of bigram tables had been introduced on 1 July. 


17 Budiansky forgets to mention that this was also a brilliant idea Rozycki had in about 
1935: “... the clock, devised by Jerzy Rozycki ... made it possible in certain cases to de¬ 
termine which rotor was at the far right side on a given day in a given Enigma net.” 
(Wladislaw Kozaczuk, 1985). 
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So Banburismus could not be tried out on subsequent messages until the new 
set of bigram tables was reconstructed. 

19.4.3 Depth cribbing and in-depth adjusting by double cribbing. 

A pair of isologs in an ENIGMA cipher, forming a ‘depth of two’, allows one 
to make a particular use of a crib for one of the ciphertexts to obtain a frag¬ 
ment of the plaintext belonging to the other ciphertext: not only lead iden¬ 
tical ciphertext letters in some position to identical plaintext letters in this 
position, but moreover the self-reciprocal property means that this also holds 
crosswise, as demonstrated in the following example (Mahon 1945) with bold 
letters: 

123 4 5 6 78 9 10 11 12 13 14 15 16 17 18 19 20 

BHNW SMSAWMNTCKNNP Z 
wet t e r fue rdienacht 

CNNJ TRQNW S TTCXRCDS LD 
. ,t..m..e..ie..n.... 

In the circumstances of the example, minesweepers played a role and the mes¬ 
sage could contain a boat number; moreover a tripling of the ‘m’ designating 
the boat class could be guessed. This leads to conjecture 

mitmmmdre isiebeneins, in clear ‘M371’. 
Since the crib is to be tested only in the few non-scritching positions (see 
Sect. 14.1), the method is quite effective, provided good insight into the en¬ 
emy’s usage has already been built up. 

Cribbing can also be used for in-depth adjusting of two ciphertexts: a hit is 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 3 24 25 

QWAWS UHDWMTNCNKHPZFHY 
vorher sagebereichdrei 

FDQRLTULEWGDQPBOXNZRNCIOZ 
zustandostwae rtigerkanalx 

This method, which helped the Banburists in particular during the blackout 
in 1942, died with Banburismus in autumn 1943, when enough BOMBEs 
were available. 

19.5 Cryptotext-Cryptotext Compromises 

A dangerous situation occurs in practice if a message is to be repeated only 
insignificantly changed; for example, by correcting a typing mistake. If the 
corrected message is sent again with the same key, a plaintext-plaintext com¬ 
promise starts from the position of the mistake, with all the bad effects 
discussed so far. 

A classic example of such an attack was offered in December 1938 and January 
1939 by a pair of radio signals from the Rumanian military attache in Paris 
to his Foreign Ministry, which differed in length by only two 5-letter groups. 
According to Hiittenhain, OKW/ Chi succeeded in decrypting the signals, it 
turned out that only the plaintext fragment /Heft 17/ of the first signal was 
replaced by the plaintext fragment /Heft 15 statt 17/ in the second signal. 
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19.5.1 Cryptotext-cryptotext compromise of the keys. If the cor¬ 
rected message is sent again with a different key, a cryptotext-cryptotext 
compromise occurs up to the position of the mistake. Such a mistake (reenci¬ 
pherment, reencodement) happens frequently. A particularly dangerous risk 
of a break exists if this is done in the same system: the resulting ‘isomorphic’ 
(Sect. 2.6.3) cryptotexts have equal length, which is very conspicuous. 
Cryptotext-cryptotext compromise of the keys is inherent in message key net 
systems if a circular message is to be sent out, possibly to dozens or hundreds 
of recipients, each with their own key. It seems that German cryptologists 
underrated this danger, that their signal officers were not warned enough, and 
that this negligence continued till the end of the war. Rear Admiral Ludwig 
Stummel, responsible for the cryptanalytical security of the radio signals of 
the German Navy, introduced in 1943 a great number of key nets and in mid- 
1944 gave each U-boat its own key (Sonderschliissel). It was thought this 
would give the adversary so much individual work that it would contribute 
to Germany’s cryptanalytical security. But it was a self-defeating complica¬ 
tion: for top secret ‘ offizier ’ messages, it was “... actually helpful, because 
the same message would often appear in several keys, sometimes on differ¬ 
ent days” (Rolf Noskwith). Even Stummel could not manage to formulate 
important general orders for each key net or even for each boat individually. 
When in 1942 the 4-rotor ENIGMA (see Sect. 11.1.11) was introduced only for 
the submarines, compromises were frequently caused by transmitting general 
orders for the other ships encrypted with the 3-rotor ENIGMA. Here the 1914 
warning of Sir Alfred Ewing, head of Room 40 , would have been appropriate: 
“It is never wise to mix your ciphers. Like mixing your drinks, it may lead 
to self-betrayal.” But Grossadmiral Karl Donitz’s staff did it anyway. 

We cannot properly speak of a cryptotext-cryptotext compromise of the keys 
if they are public. But note that only the encryption keys are public, not 
the decryption keys, and they are what we mean—in a symmetric encryption 
method, there is no difference. In fact, the risk of cryptotext-cryptotext 
compromise is inherent in public-key cryptosystems. 

In the jargon of Bletchley Park, a cryptotext-cryptotext compromise of the 
keys was called a ‘kiss’. One could not have better expressed the joy at such 
a stroke of luck. Fortunately for the British, the smaller boats of the German 
Navy did not have ENIGMAs, but had to use a simple bigram encryption 
(Werftschliissel ). The large ships did not have this key or did not like to 
use it. If now certain messages—warnings about floating mines—had to be 
transmitted quickly, nobody took the trouble to reformulate the plaintexts. 
The British occasionally provoked such situations with the aim of establish¬ 
ing cryptotext-cryptotext compromises of the difficult 4-rotor ENIGMA with 
the easily breakable simple bigram substitution. With British humor, they 
called this ‘gardening’. In fact, this technique meant a transition to a clas¬ 
sic plaintext-cryptotext compromise situation, where the decrypted message 
furnishes a ‘crib’ of not only probably, but certainly contained words. 
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On May 7, 1941, the German weather ship Miinchen was captured by the 
British Navy and the Wetterkurzschlussel fell into British hands. From the 
weather reports of the U-boats, decrypted by George McVittie (1904-1988), a 
flow of kisses originated, filling the cribs of Bletchley Park for the ENIGMAs; 
this continued until 1944. The bridge players were pleased about these ‘cross- 
ruffs’ 18 . Seizing U-559 on October 30, 1942 even resulted in a compromise 
of the new 4-rotor ENIGMA by weather reports. This and the break of the 
Kurzsignalheft for convoy sighting reports prefixed by the Morse signal ‘B bar’ 
helped to bring an end to the blackout on SHARK (‘Triton’) in 1942. 

The lesson is that the collateral use of code superenciphered by a one-time key 
generated by a machine, together with repeatedly used additives, if the latter 
encryption is broken already, compromises the ‘individual’ key and leads to a 
reconstruction of the machine that produced it. This misadventure befell the 
German AA ( Auswartiges Amt) which used, presumably because of a shortage 
of one-time key material, on the line Berlin-Dublin in parallel the GEC 
(FLORADORA) double superencryption of code which was already (see Sect. 
9.2.1) broken by the British. A long part of the one-time key, codenamecl 
GEE, could thus be investigated. It turned out (see Sect. 8.8.7) that it was 
generated by a machine; an SIS team led by Thomas Waggoner was able to 
reconstruct it. Thus, the total traffic of the AA, considered unbreakable, was 
laid open. 

19.5.2 Reduction to a plaintext-plaintext compromise. For the 

case of a VIGENERE encryption, in particular superencryption by additives, 
a cryptotext-cryptotext compromise can be reduced simply to a plaintext- 
plaintext compromise: the plaintext is regarded as key text, the key text as 
plaintext. This is just another case of the swapping of roles we saw in 
Sect. 19.2.3 . This means that the methods of superimposition and of symetrie 
de position are applicable. It is not required that the polyalphabetic encryp¬ 
tion is periodic. The precondition for the swapping of roles is again that the 
keys are in prose and thus show frequency characteristics and/or patterns. 
To give an example, there are five signals of equal length 

12345 6789 10 1112131415 1617181920 2122232425 2627282930 

(i) TCCVL ESKPT XMPVW HYMVG XBORV CWARF 

(ii) VLLBV CKWFP EHECF CGNZE KKKVI HDDID 

(iii) MYYRD M J WM C UIGLO KMXLR EWHXM RJHAS 

(iv) BKQTZ BZWKW ZXGZO VTBAT K WM G M RJKLP 

(v) MYYVH BWJDX CPCZO HVTSI VMEBS OHRAU 

3132333435 3637383940 41424344 

(i) RRDYC TKLBL MGLW 

(ii) SVFKQ AJVCR FKLK 

(iii) HBRNU TRVGJ XJPW 

(iv) KOWHU CBDUF TVEF 

(v) SDANI TYHFK ZZWG 

18 A cross-ruff was successfully played in July 1918 by J. Rives Childs of G.2A.6, A.E.F. 

on the Mackensen telegram about the withdrawal of German troops in Rumania. 



422 19 Compromises 


and there is reason to expect a linear substitution. For each column, the 
differences over Z 26 are determined. Six of these columns show coincidences 
in particularly many differences: 2, 4, 7, 9, and 11, as indicated in Fig. 170. 


1 13 18 


0 

24 

7 

18 

7 

0 

11 

9 

9 

13 

0 

25 

15 

11 

19 

2 

0 

9 

20 

9 

15 

0 

24 

24 

2 

1 

0 

16 

12 

20 

19 

17 

0 

11 

0 

17 

2 

0 

0 

4 

11 

10 

0 

22 

4 

8 

6 

15 

0 

15 
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0 
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15 
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4 

0 

8 

19 

17 

0 

11 

0 

13 

24 

22 

22 

0 

7 

6 

22 

18 

0 

22 

0 

17 

5 

5 

15 
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13 

13 
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Fig. 170. Six difference tables belonging to the columns 1. 13, 18, 22, 27, 36 


19.5.2.1 The difference method again. We start with the remark that 
t + 7 = a, a + 4 = e, t + ll = e; this fits table 18, with (t, a, e) = (M, T, X); 

t + 7 = a, a + 4 = e, t + 11 = e ; this fits table 27, with (t, a, e) = (W, D, H). 

This connects columns 18 and 27. Furthermore, 

t + 7 = a, a + 2 = c, t + 9 = c; this fits table 1, with (t, a, c) = (M, T, V); 

t + 7 = a, a + 2 = c, t + 9 = c; this fits table 36, with (t, a, e) = (T, A, E). 

This connects columns 1 and 36. Next, column 22 connects columns 36 and 27 
by means of 9, 11; column 13 connects columns 1 and 18 by means of 2, 4. 
(It will turn out that the differences 9 and 11 in the first line of Table 13 are 
accidental.) 

Taking now the first column as reference and aligning the other five columns 
on the basis of the most frequent differences produces the following skeleton: 
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This 

skeleton (with 

the 

shift indicated by slanted numbers) 

can be tested by 

the columns 

5, 

6, 7, 

10, 

12, 

19, 

20, 24 

, 30. 

, 31, 

33, 

37, 

38 

to obtain: 
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19.5 Cryptotext-Cryptotext Compromises 1^23 


The multiple occurrence of six characters X, M, T, B, G, V, corresponding to 
the most frequent letters e, t, a, i, n, c indicates that we are on the right 
track. The other frequent characters L, A, K can be used to continue the 
formation of differences. This gives an adjustment for 40 of the 44 columns. 
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19.5.2.2 Swapping of roles. As before, the additives written in the 
footlines are to be added to the intermediary text letters to obtain the original 
cryptotext characters. Thus, they are themselves a CAESAR encryption of 
the pseudo-plaintext (the original key) which reads: 

12345 6789 10 1112131415 1617181920 2122232425 2627282930 

AYBAO PZZVW YLJPV B*AOH A PAUL *KZHI 

3132333435 3637383940 41424344 
VKFNB HYKVM **LZ 

Now exhaustion is indicated: among the 26 possible adjustments the addition 
of 19 yields the following fragmentary English plaintext: 

12345 6789 10 1112131415 1617181920 2122232425 2627282930 

truth issop recio u * t h a titne * cl sab 

3132333435 3637383940 41424344 

odygu ardof **es 

In cleartext, the complete quotation, from Churchill’s autobiography of 1949, 
reads: “In wartime, truth is so precious that she should always be attended 
by a bodyguard of lies” (Churchill to Roosevelt and Stalin, November 1943). 

The five pseudo-keys (the five original plaintexts) can be reconstructed easily, 
confirming the partial decryptment above. They are taken from a well-known 
‘children’s book’ for non-children: 

“Alice was beginning to get very tired of sitting by he[r sister on the bank...]” 
“ ‘Curiouser and curiouser!’ cried Alice (she was so much s[urprised ...])” 
“They were indeed a queer-looking party that assemble [cl on the bank ...]” 
“It was the White Rabbit, trotting slowly back again, an[cl looking ...]” 

“The Caterpillar and Alice looked at each other for so[me time in silence ...]” 
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19.5.3 A direct product of keys. In the very general case of polyalpha- 
betic encryptions with unrelated alphabets, a method can be tried that may 
even work with only two encryptions of the same plaintext, provided the two 
keys are periodic with known periods of different length. 

The following example of such a cryptotext-cryptotext compromise, first pub¬ 
lished by Sinkov in 1968, explains the procedure that is found in a classified 
1938 work of Friedman, declassified in 1984. 

There are two messages observed on the same day, of 149 characters each: 
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Since the two cryptotexts have equal length, a suspicion arises that the plain¬ 
texts are identical. First, an examination of the period is appropriate. It 
turns out that the key for the first cryptotext presumably has period 6 , the 
key for the second presumably 5 . In this case, 30 is a period both (unknown) 
keys have in common. Then each character coincidence between the two texts 
should be repeated in a distance of 30 positions. Indeed the write-up above 
shows the XX coincidence in column 12 repeated in column 42 as DD coinci¬ 
dence, in column 72 as ZZ coincidence, and so on. A similar repetition holds 
for the columns 15, 45, 75, and so on. This observation strongly corroborates 
the conjecture that both cryptotexts belong to one and the same plaintext. 

In fact, 


12 + 30i = 


0 (mod 6 ) 

2 (mod 5) ’ 


15 + 30i = 


3 (mod 6 ) 
5 (mod 5) 


Therefore, the 6 th alphabet of the first message should coincide with the 2nd 
alphabet of the second message, and the 3rd alphabet of the first message 
should coincide with the 5th alphabet of the second message. A calculation 
of the corresponding Chi gives high values supporting this hypothesis. 

Sinkov’s method now decomposes the two messages according to the two keys 
used. The six alphabets used in keying the first message are named a, (3, 7 , 
<5, e, ( and the five alphabets used in keying the second message are named 
i, k, A, n, v . Thus, the beginning of this decomposition reads: 
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More entries can be made into this diagram: Since both cryptotexts belong 
to the same plaintext, column 2, column 7, and column 12, all showing X for 
key k , can be superimposed. In the same way, column 3, column 13, and 
column 28, all showing H for key A , can be superimposed. Moreover, column 
16 , and column 21, both showing E for key t ; column 17, and column 22, 
both showing E for key k ; column 18, and column 23, both showing Y for 
key A , can be superimposed. This gives the following array: 
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Superimposition can be done in the same way also in the lines l, k, A, p, 
v : column 13, and column 19, both showing B for the key a , can be super¬ 
imposed, and so on. This superimposition is extended, of course, over the 
full length 149 of the messages. Altogether, we obtain the following rather 
complete array: 
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31323334 35 

36373839 40 

41424344 45 

46474849 50 

51525354 55 

56575859 60 

a 

J B 

YU J B 

P B 

WB J H M 

PWY D 

WB J W 

(3 

CGK 

TLGCK 

XX YK X 

QK C E 

YQT 

XQKC Q 

7 

AON 

QG AO 

V VWO V 

L O A C 

WL Q K 

V L O A L 


Z T E 

LI Z T 

F F 

T F 

G T Z E A 

G L 

F G T Z G 

e 

M D P V 

SW MD 

K K 

D K 

Y D M P R 

Y S F 

K YDM Y 

c 

XHQ 

GP HX Q 

D D 

Q D 
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I G F T 
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E M 
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XHQ 

GP HX Q 

D D 

Q D 

I QX Z 

I G F T 

D I Q X I 

A 

S KH 

MNKS H 

VH 

J H S B 

V J M 

J H S J 

9 

R F I 

BY R F 

N N G F N 

S F R I H 

G S B J 

N S F R S 

V 

AON 

QG AO 

V VWO V 

L O A C 

WL Q K 

V L O A L 

-> 

B 0 C PG 

Q K 0 BC 

D D F CD 

A C B PH 

F A Q RE 

D A C B A 


61626364 65 

66676869 70 

7172 73 74 75 

76 777879 80 

81828384 85 

86878889 90 
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N B YD 

J M B W 

YMR 

J 

Y BN 

N B J W 

M B W 

(3 

AK T 

CEGKQ 

T E 

U C 

T K A V 

A K C Q 

E KXQ 
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Z ONQ K 

AC O L 

QC 

A 

Q O Z F 

I Z O A L 

C J O V L 
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XT L 

Z A T G 
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L T X 

X T Z G 

A T F G 
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J D V S F 

MR D Y 

S R 

M 

D A D J 

J DM Y 

R D K Y 
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VQ G T 
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X 

G J Q V 

V Q X I 
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X Z H Q I 

G Z 
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MB D 
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B H 
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AC O L 

QC 
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Q O Z F 

I Z O A L 

C J O V L 

-► 

JCGQE 

B H 0 CA 

QHSTB 

quc jv 

W J C B A 

H X C D A 
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X T UM U 

BM 
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WL P 

M J U Z 

BWU M 

/? 

T A K 

L E L 

KEJT 

XQ Y B 

EC L 

V K Q L E 

7 

Q Z O E 

G C G 

N O C 
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V L BW S 

C A G R 

F O L G C 
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U E Q 

X T Q U 
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F H X B 

NS G Q 

HR Y 
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Q Z O E 

G C G 

N O C 

Q 

V L BW S 

C A G R 

F O L G C 

-> 

Q JCYZ 

L 1 K HK 

G C H 2Q 

D A N FM 

H B 3 K4 

V C A K H 

i.. 

21222324 25 

2627282930 

31323334 35 

36373839 40 

41424344 45 

46474849 
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N Y 

U YO 
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U BM J L 

P B U 

/? 
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X A T B X 

L T 
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L X T E 

L K E C 

YKL 

7 
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Q P 
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QO 
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Q Z O H U 
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Q P 
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J Y B J 

YM 
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K 
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S MH S 
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Y B 

K 
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GQ 

F I 
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G O C A B 

WO G 

-> 

5 A J HA 

D J Q MD 

KQ6VQ 

KDQLH 

K C H BN 

F C K P 



19.5 Cryptotext-Cryptotext Compromises /i?7 

As we should have expected, the alphabets named 7 and v are identical 19 , 
likewise the alphabets named ( and k. Not all fields of entries are filled, and 
some columns such as 8 and 17 could possibly be identical. Indeed, there are 
a total of 32 different columns, which are ad hoc abbreviated with A. . . Z and 
1 ... 6 and listed in the footlines (marked by —>) more or less in the order 
of their formation in the superposition process. 32 characters—that is more 
than the 26 letters of the common alphabet. In fact, nothing prohibits the 
adversary from using a plaintext alphabet of more than 26 characters. But 
most likely some columns mean the same plaintext character. Thus, we have 
presumably reached a monoalphabetically encrypted intermediary text, but 
the encryption includes homophones—a rather surprising result. 

Fortunately, it will turn out that the victims of homophony are not the 
most frequent characters—as they often are for the purpose of equalizing 
the frequencies—but just the rare ones; they are too rare to provide enough 
material to fill the fields. 

19.5.4 Intermediate encryption. It is given by the footlines of the array 
ABCHD EBFDC GBCAH BUCK BIJLQ MNCBE 

BOCPG QKOBC DDFCD ACBPH FAQRE DACBA 

JCGQE BHOCA QHSTB QUCJV WJCBA HXCDA 

QJCYZ L1KHK GCH2Q DANFM HB3K4 VCAKH 

5AJHA DJQMD KQ6V0 KDQLH KCHBN FCKP 

which shows clearly the frequency distribution of English, with a peak-C and 
B, A, H, D, O, N of about equal frequency. Among the many ways that would 
give an entry, we assume that /treasurysecretary/ is a probable word that 
fits the pattern 12345627538231427 of the beginning. With eight letters, a 
lot is achieved: 

treas uryse creta rIJeK rIJLQ MNeru 

rOePc QKOre ssyes terPa ytQRu stert 

JecQu raOet QaSTr QUeJV WJert aXest 

QJeYZ LIKaK c e a 2 Q stNyM ar3K4 VetKa 

5 t J a t sJQMs KQ6V0 KsQLa KearN yeKP 

/yesterday/ in the second line catches the eye, but does not help much. 
A few places earlier /congress/ brings more. There are now twelve letters 
determined and only two from the etaonirsh are still missing, /i/ and /h/ : 
treas uryse creta rIJen rIJLo MNeru 
rgedc ongre ssyes ter cl a ytoRu stert 

Jecou raget oaSTr oUeJV WJert aXest 

oJeYZ Lin an cea2o stNyM a r 3 n 4 Vetna 

5 t J a t sJoMs no 6Vg nsoLa nearN yend 

Now we get rid of some homophones: /henry/ in the first line means that I 
homophone with F is /y/ . For the /i/ it is more difficult, but in the last line 
we can read /no signs/ , provided 6 homophone with D is /s/ . Thus: 

19 For further manual work one will identify the corresponding lines but in programmed 
execution it is simpler to repeat them. 
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treas uryse creta ryhen ryhLo MNeru 

rgeclc ongre ssyes terda ytoRu stert 

hecou raget oaSTr oUehi Whert aXest 

oheYZ LI nan cea2o stNyM a r 3 n 4 ietna 

5th at shoMs nos ig nsoLa n e a r N yend 

which presents in the second line /to muster/, in the third line /approve 
higher taxes/ (S and T homophone), in the fourth line /help finance a costly 
war in Vietnam/ , whence finally in the first line the name /henry h fowler/ 
emerges and the decryption is finished. The plaintext reads: 

treas uryse creta ryhen ryhfo wleru 

rgeclc ongre ssyes terda ytomu stert 

hecou raget oappr ovehi ghert axest 

ohelp fin an ceaco stlyw arinv ietna 

mthat shows nosig nsofa nearl yend 

19.5.5 Reconstruction of the encryption table. So far, the 32 columns 
reduced to 21 characters; 5 characters are still missing in the plaintext. The 
fragmentary encryption table is as follows: 
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The complete encryption table (tabula recta) could be reconstructed if the 
alphabets were obtained by shifting a primary alphabet. This turns out to be 
the case, and a method developed by Friedman (mentioned in Sect. 18.8.2) 
allows one to reconstruct the primary alphabet. For the decryption this was 
not necessary, but it helps to fulfill Rohrbach’s maxim. 

19.5.5.1 Friedman starts from the observation that in the desired encryp¬ 
tion table all columns are derived from a single one by cyclic shift. Picking 
out, say, the lines A and /i, then at some unknown distance k below /t/ are 
the characters J and S , below /r/ the characters S and R, below /s/ U and N, 
then N and Y, Y and M, M and B , B and H, H and F, finally V and G —all 
with the same distance k. Thus, we have already three chains 

J-S-R , U-N-Y-M-B-H-F V-G 

with the distance k. But the characters J and S are also found below /r/ in 
the lines a and A, then at the same distance k there are also the characters 
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W and J, R and D, O and U, U and N, P and V, L and A. The chains can be 
extended with the new links; we now have 

W-J-S-R-D , O-U-N-Y-M-B-H-F , P-V-G and L-A . 

J and D have the distance 3 k ; in the lines t and a are found below /u/ the 
characters J and D , thus not only U and M, O and Y, but also C and N, 
X and T, A and K, Q and U, E and J, Z and O, T and W, S and P have distance 
3 k . We now have the chains 


T-ID-*-W-J-S-R-D-P-V-G , Q-C-0-U-N-Y-M-B-H-F-*-X , L-A-*-*-K . 

We can now close these chain fragments by observing that W, G, to be found 
in the lines a and 5 , have the distance 7k , thus this is also the distance of J 
and Z, B and T, M and A, U and I, H and E, Y and L, which closes the cycle: 

T-ID-K-W-J-S-R-D-P-V-G-Z-Q-C-O-U-N-Y-M-B-H-F-1-X-L-A- . 


19.5.5.2 But this is not necessarily the original order. With the method of 
Sect. 18.8.1, the fifth power 


T-S-G-U-H-A-J-V-O-B-L-W-P-C-M-X-K-D-Q-Y-I-E-R-Z-N-F- 
brings success: the sequence 

HAJ VOBLWPCMXKDQYI ERZNFTS GU 


results—columnwise—from the password HOPKINS by the method described 


in Sect. 3.2.5: 


H O P K I NS 
A B C D E F G 
J L M Q R T U 
V W X Y Z 


With this sequence, a tabula recta is built (Table 29), it also turns up as 
the column of keys. To determine the headline, the following can be done: 
A ‘rich’ line like the one named with 7 = v in the fragmentary encryption 
table, reordered, reads: 


rxselty a u o gpvhci w n 
7 = P HAJ VOBLWPCMXKDQYI ERZNFTS GU 


The other lines considered so far drop into place and determine further plain¬ 
text characters. Altogether a fragmentary headline is obtained: 

*rxsel ty*afmu*o*gpvhci * w n d 


where only the rare plaintext characters /b/, /j/, /k/, /q/, /z/ are still 
missing. This headline now also discloses its secret; it is built by the method 
described in Sect. 3.2.5 with the password /johns/ . 


j o h n s 

a b c cl e 

f g i k 1 

m p q r t 

u v w x y 
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Johns Hopkins 
(1795-1873) 
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This settles the five missing characters, too. The encryption table in Table 29 
falls under the heading ‘treble key’ (Sect. 8.2.3). The passwords /johns/ and 
HOPKINS are obvious allusions to Johns Hopkins, American financier and 
philanthropist. 20 

The keys are fittingly CIPHER and GROUP as can be seen from the 
entries for and in\p,v in Table 29 . The original encrypted messages 

are obtained in the following way: 
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20 The Johns Hopkins University in Maryland, USA, was the place where in the Second 
World War the proximity fuze was developed. 



19.6 Cryptotext-Cryptotext Compromise: ENIGMA Indicator Doubling 431 


19.6 Cryptotext-Cryptotext Compromise: 

ENIGMA Indicator Doubling 

The double encipherment of each text setting was a gross error. 

Gordon Welchman 1982 

The Poles were known for the high standard of their cryptanalytic abilities: 
They won their war against Russia in 1920 with the help of cryptanalysis. 

As Wladyslaw Kozaczuk disclosed in 1967, 21 a typical case of cryptotext- 
cryptotext compromise allowed from 1932 on the Polish Biuro Szyfrow under 
Major Gwido Langer (‘Luc’) with its German section B.S.-4 under Maksy- 
rriilianCi§zki (1899-1951) and the young mathematicians Marian Rejewski, 
Jerzy Rbzycki, Henryk Zygalski (they had been trained as students in Poznan 
University since 1929 by Ci§zki) to penetrate the encryption of the German 
Wehrmacht , whose practice transmissions of ENIGMA-encryptecl radio sig¬ 
nals in the Eastern provinces of Prussia gave a copious supply of cryptotexts. 

It was a typical problem of machine encryption with a key sequence gen¬ 
erated by the machine itself (Sect. 8.5). If every message is started with its 
own initial setting, immediate superimposition is inhibited. But it was widely 
considered too difficult and prone to mistakes to prearrange such new initial 
settings for every message. This did not hold for the ENIGMA only, but is 
the general problem of key negotiation and key administration. Therefore, 
as already mentioned in Sect. 19.3, indicators are used for the ‘message set¬ 
ting’ of the rotors. Of course, they should not give the setting plainly, but 
must be themselves somehow encrypted. 

Thus, it was thought to be a clever idea to use the encryption machine itself 
for this purpose. One specific weakness with both the Army and Air Force 
ENIGMAs was that the encryption of the indicator was based exclusively 
on the ENIGMA itself. However, for the 4-rotor Navy ENIGMA, at least a 
bigram superencryption was done, starting May 1, 1937. 

Another weakness was that (for reasons to be given below) the plain indicator 
was doubled before encryption—the old treacherous trick -thus introducing a 
tiny cryptotext-cryptotext compromise at the very beginning of the message, 
a fixed place. All this was the fault not of the machine, but of the rules for 
operating it. B.P. called the indicator doubling system ‘boxing’ or ‘throw-on’. 

The fancy idea of doubling the indicator seems to go back to recommendations 
of Scherbius’ Chiffriermaschinen A.G. for the commercial ENIGMA of 1924. 
Otherwise, the security of the ENIGMA seemed to be high. A Tagesschliissel , 


21 In his book Bitwa o tajemnice: Shizby wywiadowcze Polski i Rzeszy Niemieckiej 
1922-1939, Warsaw 1967 (in Polish), which was largely overlooked in the West (a re¬ 
view, in German, was published in the Ostdeutscher Literaturanzeiger, Holzner Verlag, 
Wurzburg , tome XIII, no. 3 in June 1967). However, in 1968, Donald Cameron Watt (in 
a foreword to Breach of Security by David Irving, London 1968) revealed that in 1939 
Britain “received from Polish Military Intelligence keys and machines for decoding Ger¬ 
man official military and diplomatic ciphers”. This seemed unbelievable, until in 1973 
the French General Gustave Bertrand, who had been involved in the deal, confirmed it. 
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valid for one day for all machines in a ‘key net’, determined, apart from the 
Steckerverbindung , the order (and later also the choice) of the three rotors 
(Walzenlage ), the internal ring setting ( Ringstellung ) on each rotor, and a 
basic wheel setting ( Grand,stellung, ground setting) of the rotors. With the 
machine set accordingly, a freely chosen 3-letter group, the plain indicator, 
in Bletchley Park called the message setting or text setting (German Spruch- 
schliissel ), was doubled and encrypted, and the resulting 6-letter group, the 
encrypted doubled indicator (German chiffrierter Spruchschliissel) was trans¬ 
mitted after a preamble (in plain) containing call-sign, time of origin, and 
number of letters in the cryptotext. Then the message followed, encrypted 
with the indicator as initial setting. The authorized recipient first decrypted 
the encrypted indicator with his Tagesschliissel and checked whether it was 
correctly doubled in order to find the initial setting for decryption of the cryp¬ 
totext proper. This encryption procedure was valid until September 15,1938. 
Weakening the security of the cryptotext proper by using an indicator was 
accepted without scruples by the Germans, since the indicator was protected 
well by the ENIGMA, which was judged to be indechiffrable. Nobody ob¬ 
served that this was logically a vicious circle. Anyhow, the ENIGMA seemed 
to have enough combinatory complexity, and when after July 15,1928 more 
and more radio signals of the German Army encrypted with ENIGMA G ap¬ 
peared in the ether, the Polish bureau, although familiar with the commercial 
ENIGMA, which had been on the open market since 1926, was not able to 
break in at first. (The internal wiring of the rotors in the military ENIGMA 
of 1930 was different from that in the commercial version, of course.) 

The reason for doubling the plain indicator, the ‘double encipherment of 
each message setting’, was that radio signals then were frequently disturbed 
by noise. An encrypted indicator corrupted during transmission would cause 
nonsense in the authorized decryption, with all the risks of repetition. To 
transmit the whole cryptomessage twice for the sake of error-detection seemed 
out of the question. Thus, the error-detecting possibility was restricted to the 
plain indicator. But this led to a much more dangerous compromise which 
could have been avoided. And the doubling was not necessary at all: When 
it was discontinued on May 1,1940, ENIGMA traffic did run smoothly. 

How did the Polish cryptanalytic service B.S.-4 find out about the indicator 
at all? Ci§zki’s people discovered around 1930 quickly, using standard tech- 
niqes, that two signals which started with the same 6-letter group showed a 
higher character coincidence near Kd, thus they invited superimposition. As 
a consequence, the initial setting of the rotors was determined by the first 
6 -letter group—in other words, it was an indicator. Since it was clear that it 
was not plain, it could only be somehow encrypted. But how was this done? 

19.6.1 France I. It is not known whether the Poles had reasons to believe 
the Germans would be stupid enough to use the ENIGMA itself for the indica¬ 
tor encryption. In any case, they found in 1931 help from their French friends. 
The spy Hans-Thilo Schmidt (1888-1943, with code name ASCHE, Asche, the 
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French pronunciation of H.E. ), workinguntill938 in the Chiffrier-Stelle of the 
Reichswehrministerium, had since November 1931 forwarded via the secret 
agent ‘Rex’ manuals on the use of the ENIGMA, on the encryption procedure, 
and even Tagesschlussel for September and October 1932 (including the ring 
settings and cross-pluggings for these months) to the French grand chef\ then 
Major, later General Gustave Bertrand (1896-1976, code-name ‘Godefroy’, 
‘Bolek’) who forwarded them in turn to the Polish bureau. (Hans-Thilo 
was arrested on March 23, 1943 and allegedly shot in July 1943; actually he 
committed suicide on September 16, 1943. His brother, Generaloberst Rudolf 
Schmidt, commander of the 2. Panzerarmee, was dismissed on July 10, 1943.) 

19.6.2 Poland I. Ci§zki’s young aide, the highly gifted 22 Marian Rejewski 
(1905-1980)—he knew him since 1929 and had hired him permanently in 
1932—had first to find out how the French gift could be made useful. Ac¬ 
cording to a report by Wladyslaw Kozaczuk in 1984, he proceeded as follows. 

19.6.2.1 He had already guessed that each signal began with the 6 letters of 
the encrypted doubled indicator . 23 Let Pi, P 2 , P 3 , P4, P 5 , P 6 (Rejewski used 
the letters A, B, C, P, E, F) denote the permutations performed upon the 
1st, 2nd, 3rd,... 6 th plaintext letter, starting with some basic wheel setting. 

From aPi =X and aPi +3 =Y (i = 1,2,3) it follows that a = XP ” 1 and 
thus Xl J r ' P l+3 = Y . The properly self-reciprocal character of the ENIGMA 
was known. Therefore, Pff 1 = Pi and it follows even that xPiP J+ 3 =Y . 
The known characters X, Y standing in the 1st and 4th, or the 2nd and 5th, 
or the 3rd and 6 th positions of the cryptotext thus impose conditions on the 
three products PjP i+ 3 of the unknown reflections Pi, P 2 , P 3 , P 4 , P 5 , Pq. 


1 . 
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9. HNO 

THD 

17. 

NXD QTU 
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33. 
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RKK 

2 . 

BNH CHL 

10. HXV 
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18. 
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BCT CGJ 

11 . I KG 
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19. 
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CIK BZT 
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JHU 
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PVJ FEG 

28. 

TAA 

EXB 

36. 
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DDB VDV 

13. JWF 

MIC 

21 . 

QGA LYB 

29. 
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NWH 

37. 

YPC 

OSQ 

6 . 

EJP IPS 

14. KHB 

XJV 

22 . 

RJL WPX 

30. 

VII 

PZK 

38. 

ZZY 

YRA 

7. 

FBR KLE 

15. LDR 

HDE 

23. 

RFC WQQ 

31. 

VQZ 

PVR 

39. 

ZEF 

YOC 

8 . 

GPB ZSV 

16. MAW UXP 

24. 

SYX SCW 

32. 

WTM RAO 

40. 

ZSJ 

YWG 


Fig. 171. 40 different observed encrypted doubled indicators to the same Tagesschlussel 


22 Marian Rejewski’s intuitive abilities are illustrated by the following episode: In the 
commercial ENIGMA D, the contacts on the entry ring belonged to letters in the order 
QWERTZU... of the letters on the keyboard. This seemed to be different with the 
military ENIGMA I. Rejewski said to himself “the Germans rely upon order” and tried 
around New Year 1933 the alphabetic order (see Sect. 7.3.2)—and that was it. Knox, 
who had long racked his brain about this question, was told the solution in July 1939 by 
Rejewski. Penelope Fitzgerald, Knox’s niece reported “Knox was furious when he learned 
how simple it was”. Later, he was chanting “Nous avons le QWERTZU, nous marchons 
ensemble ” (Peter Twinn). 

23 For the commercial ENIGMAs, as said above, indicator doubling was openly recommen¬ 
ded. Moreover, Rejewski observed that signals starting with the same first letter always 
showed the same fourth letter; likewise for the second and the fifth letter and for the third 
and the sixth (see, for example, Fig.171). This was a clear hint at indicator doubling. 
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Figure 171 presents 40 different encrypted doubled indicators. They show that 
for P1P4 the character a goes into itself (l.), likewise 
the character s goes into itself (24.), while 
the character b goes into c and vice versa ( 2 ., 4.), 
the character r goes into w and vice versa ( 22 ., 32.). For the 

remaining characters it turns out that they belong under P1P4 to the cycles 
(dvpfkxgzyo) (5., 30., 20., 7., 14., 34., 8., 38., 37., 19.) and 

(e i j m unql h t) (6., 11., 13., 16., 29., 17., 21., 15., 9., 27.) . 

In short, P1P4 has two 1 -cycles, two 2 -cycles and two cycles of ten characters, 
and since this embraces all 26 characters, P1P4 is fully determined. For P2P5 
and P3P6 the work is similar. The cycle determination is complete if every 
character occurs at least one time in the first, the second and the third 
position; as a rule this requires fifty to a hundred messages—this much was 
certainly the result of a busy manoeuvre day. Thus, there was the lucky result 
PiPj= (a) (s) (b c) (r w) (dvpfkxgzyo) (e i j m unql h t) 
P 2 P5= (d) (k) (a x t) (c g y) (b 1 f q v e o u m) (h j p s w i z r n) 

P^Pq= (a b v i k t j g f c q n y) (cl u z r e h 1 x w p s m o) 

The 1 -cycles (‘females’) 24 play a particular role: Since each one of the permu¬ 
tations Pi, P 2 , P3, P4, P5, Pq because of its self-reciprocal character consists of 
2-cycles (‘swappings’) only, PiP i+3 x = x implies that there exists a character 
y such that PtX = y and P i+3 y = x , i.e., both P t and P i+ 3 contain the 2 - 
cycle (x y) . In the given example, both Pi and P4 contain the 2 -cycle (as). 
A theorem of group theory about products of properly self-reciprocal permu¬ 
tations states that the cycles of P,Pi+3 occur in pairs of equal length: if 
Pi contains the 2-cycles (aqyi), (£22/2), • ■ ■, (x^y^) , and 

Pi+3 contains the 2 -cycles ( yix 2 ) , (2/223) (2/^1) , then 

Pi.Pi+ 3 contains the ^-cycles {xix 2 ...x^), (2/^-1 ■ • ■ 2 /i) • 

Thus, if one of the cycles of PjPj+3 is written in reversed order (<—) below 
the other one, then the 2-cycles of Pi can be read vertically—provided the 
cycles are in phase. To find this phase is the problem. It could be solved by 
exhaustion, for P1P4 above in 2-10 trials, for P2P5 above in 3-9 trials. 
19.6.2.2 But Marian Rejewski found a shortcut. He observed that the en¬ 
crypted indicators actually used showed deviations from equal distribution, 
which probably meant that the German crypto clerks, like most people play¬ 
ing in the lottery, were unable to choose the message setting truly at random. 
Thus, Rejewski directed his interest primarily to conspicuous patterns, and 
he was right. In fact, the German security regulations were not too clear on 
this point, and a German officer who had given the order to take as message 
setting the end position of the rotors in the previous message could argue 
that he had made sure the message setting was changed after every message. 

24 In the jargon of Bletchley Park the term ‘female’ was used, originating from the Polish 
pun te same (‘the same’) <-> samiczka (‘female’). Most people in Bletchley Park did not 
know—in fact did not have to know—the Polish origin and found their own explanations, 
like female: screw for a threaded hole. 
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Thus, it was common practice to use even stereotyped 3-letter groups like 
/aaa/, /bbb/, /sss/ . When in the spring of 1933 the mere repetition of letters 
was explicitly forbidden, it was too late. The Poles had already made their 
entry into the obscurity of the ENIGMA. Later, the bad habit developed of 
using horizontally or vertically adjacent letters on the keyboard: 

/qwe/, /asd/ (horizontally); /qay/, /cde/ (vertically), etc. 

Rejewski’s frequency argument was that the most frequently occurring en¬ 
crypted indicator 24. SYX SCW , which had occurred five times, should cor¬ 
respond to a most conspicuous pattern. There were still a number of those 
to be tested. Assume we test with the plain indicator aaa . This fits in P\ 
with the 2-cycle (a s), in P 2 it gives the 2-cycle (a y), in P 3 the 2-cycle (a x); 
it fits in P 4 with the 2-cycle (a s), in Pq it gives the 2-cycle (a c), in Pq it 
gives the 2-cycle (a w) . Thus, for P 3 and Pq the phase of the two cycles 
1 

-* ( a b v i k t j gfcqny) 

<— ( x 1 he r zudomspw) 

is already determined; in a zig-zag the 2-cycles of P 3 and P 6 , beginning with 
(ax), can be calculated: 

P 3 = (a x) (b 1) (v h) (i e) (k r) (t z) (j u) (g d) (f o) (c m) (q s) (n p) (y w) 

P 6 = (x b) (1 v) (h i) (e k) (r t) (z j) (u g) (d f) (o c) (m q) (s n) (p y) (w a) 

P 3 contains among others the 2-cycle (q s). Thus, the plain indicator to 
1. AUQ AMN has the pattern **s ; since P 3 contains among others the 
2-cycle (as) , it even has the pattern s*s . If one now guesses that the plain 
indicator to AUQ AMN reads sss , then in P 2 , apart from (a y), also (s u) 
is determined. Thus, the phase for the cycles of P 2 and P 5 is also fixed: 

1 1 

—>( axt) (b 1 fqveoum) (d) 

< -(ygc)(jbnrziwsp)(k) . 

In a zig-zag the 2-cycles of P 2 and P 5 , beginning with (a y), can be calculated: 
Pi= (a y) (x g) (t c) (b j) (1 h) (f n) (q r) (v z) (e i) (o w) (u s) (m p) (d k) 

p 5 = (y x) (g t) (c a) (j 1 ) (h f) (n q) (r v) (z e) (i o) (w u) (s m) (p b) (k cl) 

Another frequently occurring encrypted indicator was 22. RJL WPX , which 
occurred four times. The corresponding plain indicator has the pattern *bb . 
Pl can only have the 2-cycles (r b) or (r c). In the first case with the more 
likely plain indicator bbb : P 3 contains the 2-cycle (b r), P 4 the 2-cycle (r c). 
For a pairing of the 10-cycles, another encrypted indicator may be used, say 
15. LDR HDE . Since P 3 and Pq contain (r k) and (k e), P 2 and P 5 contain 
(cl k) and (k d), the pattern of the plain indicator is *kk . This suggests 
again the stereotype kkk , with the result that Pi and P 4 contain the 2-cycles 
(1 k) and (k h). Thus, the phase for the cycles of Pi and P 4 is also completely 
fixed: 

i 1 

—» ( a) (be) (clvpfkxgzyo) 

<— ( s)(rw)(i ethlqnumj) and thus 
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Pi= (a s) (b r) (c w) (d i) (v e) (p t) (f h) (k 1) (x q) (g n) (z u) (y m) (o j) 

P 4 = (s a) (r c) (w b) (i v) (e p) (t f) (h k) (1 x) (q g) (n z) (u y) (m o) (j d) 

Altogether the first three permutations read in ordered form: 

Pi = (a s) (b r) (c w) (d i) (e v) (f h) (g n) (j o) (k 1) (m y) (p t) (q x) (u z) 

P 2 = (a y) (b j) (c t) (d k) (e i) (f n) (g x) (h 1) (m p) (o w) (q r) (s u) (v z) 

P 3 = (a x) (b 1) (c m) (d g) (e i) (f o) (h v) (j u) (k r) (n p) (q s) (t z) (w y) 
Mathematics did defeat the obscurity of the (improperly used) ENIGMA. 

19.6.2.3 The reconstruction of all plain indicators used on this busy manoeu¬ 
vre day is now possible (Fig. 172), as reported by Tadeusz Lisicki (1910-1991). 
The bad habits of the ENIGMA crypto clerks are evident. First, the use 
of stereotypes has led to multiple use of identical indicators, something that 
should by no means happen. Second, a look on the keyboard of the ENIGMA 
(Fig. 173) is frightening: only two out of forty, namely abc and uvw, are 
not keyboard stereotypes; instead they are alphabet stereotypes. Neither 
the crypto clerks nor their signal officers would have dreamed that peaceful 
practice transmissions with an innocently invented combat scenario would 
give away so much of the secret of the ENIGMA. 25 


SSS : 

AUQ AMN 

ddd : 

IKG 

JKF 

XXX : 

QGA LYB 

ert : 

VQZ 

PVR 

rfv : 

BNH CHL 

dfg: 

IND 

JHU 

bbb : 

RJL 

WPX 

CCC : 

WTM RAO 

rtz : 

BCT CGJ 

OOO : 

JWF 

MIC 

bnm : 

RFC 

WQQ 

ede : 

WKI 

RKK 

wer : 

CIK BZT 

111 : 

KHB 

XJV 

ctclcl : 

SYX 

sew 

qqq : 

XRS 

GNM 

ikl : 

DDB VDV 

kkk : 

LDR 

HDE 

abc : 

SJM 

SPO 

qwe : 

XOI 

GUK 

vbn : 

EJP IPS 

yyy = 

MAW UXP 

ascl : 

SUG 

SMF 

qay : 

XYW 

GCP 

hjk : 

FBR KLE 

ggg : 

NXD 

QTU 

PPP : 

TMN EBY 

mmm : 

YPC 

OSQ 

nml : 

GPB ZSV 

ghj • 

NLU 

QFZ 

pyx : 

TAA 

EXB 

UVW : 

ZZY 

YRA 

fff : 

HNO THD 

j j j : 

OBU 

DLZ 

zui : 

USE 

NWH 

uio : 

ZEF 

YOC 

fgh: 

HXV TTI 

tzu : 

PVJ 

FEG 

eee : 

VII 

PZK 

UUU : 

ZSJ 

YWG 


Fig. 172. 40 different indicators decrypted 


®®®®®®©®® 
®®@®®@®® 
®®®©®@®®® 
Fig. 173. Keyboard of the ENIGMA 


19.6.2.4 The Polish Bureau certainly learned something also from the con¬ 
tent of the decrypted signals. But much more important was that the com¬ 
promise had endangered the wiring of the rotors. Since the indicator analysis 
involved only the first six letters, it was mostly only the core of the fast rotor 


25 According to Patrick Mahon, Dilly Knox found the method too, which was called by 
Turing a ‘Saga’, to apply it by not knowing the correct QWERTZU (see Sect. 19.6.2, 
fn. 22), which also prevented him from solving Enigma’s rotor wiring. 
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Rn (the rightmost one) which was moved, and the two other ENIGMA rotors 
remained in 20 out of 26 cases at rest. This, together with the material from 
ASCHE, was sufficient for Rejewski et al. in December 1932 to reconstruct the 
wiring of the fast rotor core, and since the rotor order at that time was chan¬ 
ged every quarter (from 1936 every month, later every day), each rotor came 
finally under examination by the Polish Biuro Szyfrow. Once all the plain 
indicators of a day were decrypted, all the signals that day could be decrypted 
with the help of Polish ENIGMA replicas. But what about the next day? 

19.6.2.5 Reconstruction of the basic wheel setting (German Grundstellung) 
was accomplished with the help of a theorem of group theory, which was 
highlighted by Deavours as “the theorem that won World War II”. It says 

S and TST -1 have the same cycle decomposition (‘characteristic’). 
Therefore, Marian Rejewski and his co-workers since September 1932 made 
use of the fact that the cycle lengths in the three observable PjP i+ 3 are inde¬ 
pendent of the choice of the cross-plugging (and of the ring setting anyway). 
The number of essentially different cycle arrangments is the number of parti¬ 
tions of 26/2 = 13 , which is 101; three such partitions—in the example above 
the partitions (‘characteristics’) 10+2+1, 9+3+1, 13 —in general character¬ 
ize uniquely the 6-26-26-26 « 10 5 basic wheel settings. Rejewski, supported 
by Rbzycki and Zygalski, was now able to produce with the help of the 
ENIGMA replica a catalogue for every rotor order containing the partitions 
of the cycles for all basic wheel settings. For this purpose, an electromechan¬ 
ical device called the ‘cyclometer’ was built in the factory AVA in Stepinska 
Street, Warsaw. The Biuro Szyfrow finished the catalogue in 1937; to find 
the Tagesschliissel then took no longer than 10-20 minutes. Unfortunately 
for the Poles, on November 1, 1937 the Germans changed the reflecting rotor. 

19.6.2.6 There remained the problem of finding the ‘right’ ring setting on 
the rotor core. The exhaustive treatment could be simplified by an observa¬ 
tion Rejewski had made in 1932, thanks to the material of ASCHE: most plain¬ 
texts started with /anx/, where /x/ replaced the word space u . According 
to Kerckhoffs’ admonition, it had to be expected that the machine was in the 
wrong hands, so it was pretty silly to use a stereotyped beginning. We shall 
resume this trivial case of a plaintext-cryptotext compromise in Sect. 19.7. 

19.6.2.7 The Poles also used for a while a method they called metoda rusztu 
(‘grill method’, ‘grid method’), which was “manual and tedious”, as Rejewski 
says. It was usable only as long as the number of cross-pluggings was small 
(six up to October 1, 1936) and served to determine the ring setting of the 
fast rotor, as published in 1980 by Tadeusz Lisicki in Jozef Garlinskis book. 

19.6.3 Poland II. All this success was only possible because of the properly 
self-reciprocal character 26 of the ENIGMA rotor encryption; the reflecting ro¬ 
tor of Scherbius and Korn turned out to be a grandiose illusory complication. 


26 The simply self-reciprocal encryption machines of Boris Hagelin did not suffer from this 
defect—nevertheless the M-209 was broken from 1942 by the Germans in North Africa. 
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19.6.3.1 On May 1,1937, introduction of additional bigram tables for the 
superencryption of the indicators (see Sect. 4.1.3) stopped the Poles from rea¬ 
ding the Marine ENIGMA any longer. This was a very sad blow for them, but 
by a combination of luck and skill they recovered slightly on May 8,1937 when 
they found a crib: They had observed that sometimes very long messages were 
broken into parts, the continuation being marked by a prefix /fort/ (“Fort- 
setzung”) and also by a reference number, which had before mid-1937 its 
figures coded by the letters in the top line of a German typewriter keyboard 

1234567890 

qwertzuiop 

and enclosed by /y/ and then doubled. Thus, /forty/ was a crib for such 
messages. They had a suspicion and tried, with success since the continua¬ 
tion of the plaintext obtained read /fortyweepyyweepy/, “Fortsetzung 2330”. 
After this entrance into the encryption, the Poles had no difficulty in finding 
the rotor order, ringstellung and steckering of this particular message, and 
since these were in 1937 changed not too frequently, they had good reasons 
to hope for a complete break once they had found the basic wheel setting 
(German Grundstellung). Luckily for Poland, a German torpedo boat with 
the call sign AFA had not been provided in time with the instructions for the 
new indicating system and sent on May 1,1937 a message in the old system 
the Poles were familiar with, and more messages were exchanged on May 2 
and May 3, enough for the basic wheel setting to be found (a guess for the 
rotor order and steckering was already known from the /forty weepyy weepy/ 
message). It turned out that indeed a message of April 30, broken in the old 
system, had the same rotor order and steckering. Thus, the Poles tried and 
were successful in breaking individually messages from the intermediate days 
May 2, 3, 4, 5—about 15 per day, altogether almost 100—not knowing how 
the new indicator system worked. 

To find out this was left to Alan Turing in Britain, two and a half years la¬ 
ter. But the Poles expressed already the conjecture that some kind of a bi¬ 
gram substitution was involved. With the next change in the rotor order and 
steckering the Polish became blind. But their result filled with admiration the 
few people in B.P. who were in 1939 allowed to know about this achievement 
rightfully. “Forty Weepy” was for a long time a magic formula for insiders. 

19.6.3.2 In 1938, the situation was aggravated. The Germans changed the 
encryption procedure on September 15, and introduced on December 15 a 
fourth and a fifth rotor, giving 60= 5-4-3 instead of 6= 3-2-1 possible rotor 
orders. 

The Poles had to find out the wiring of the new rotors quickly, and they were 
lucky. Among the traffic they regularly decrypted were signals from the S.D. 
(Sicherheitsdienst) , the intelligence service of the Nazi Party. The S.D. did 
not change their encryption procedure before July 1, 1939, but introduced 
the new rotors in December 1938. These rotors came from time to time into 
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the position of the fast rotor and their wiring could be reconstructed the 
same way as previously with the first three rotors. 

The use of two methods, one of which possibly was compromised, was a grave 
error. 

As an aside, there is a story of how B.S.-4 came to read the S.D. signals. The 
Sicherheitsdienst officers were distrustful of everybody and encoded their 
messages by hand before giving them to an ENIGMA operator for superen¬ 
cryption. The Poles, decrypting all ENIGMA traffic, obtained meaningless 
text and thought at first the cryptotext was encrypted in a different system. 
Then, one day in 1937, the three letter word /ein/ was read. This could only 
mean that a plaintext group by mistake was mixed with a code; probably 
the numeral 1 had not been transcribed and the ENIGMA operator knew no 
better than to send /ein/ instead. The Poles then found it easy to break the 
simple hand-encrypted code. 

19.6.3.3 The new encryption procedure, valid until the end of April 1940, 
did not use the same basic wheel setting for all messages of the day, but 
for each message an arbitrary basic wheel setting was to be chosen, which 
should precede the signal in plain. With this chosen basic wheel setting (in 
B.P. called ‘indicator setting’), as before, a randomly chosen plain indicator, 
still doubled, was to be encrypted and also used as the message setting for the 
encryption of the text. To give an example, for a signal beginning (after the 

plain preamble) with RTJWA HWIK., rtj is the basic wheel setting, WAH 

WIK is the encrypted doubled indicator, encrypted with rtj. For this situa¬ 
tion, we shall write in the sequel rtj | WAH WIK . The authorized recipient uses 
the basic wheel setting rtj to find from WAH WIK the plain indicator doublet 
(which has the pattern 123123)-, then decrypts the cryptotext with the first 
three letters (the true indicator) as the message setting. As long as the ring 
setting and rotor order had not fallen into the wrong hands, the foe could do 
nothing with the openly displayed basic wheel setting. The search space still 
contained respectively 105456 or 1054 560 possibilities: 26 3 ring settings, 
and 6 rotor orders; increased by December 1938 to 60 = 5 • 4 • 3 rotor orders. 

19.6.3.4 The methods Rejewski and his friends had used so far did not work 
any longer, since they were based on the multiple use of the same basic wheel 
setting for a full day. But the Germans, almost incredibly, kept the doubling 
of the plain indicator 27 and thus allowed the attack of searching for a pattern, 
i.e., for the pattern 123123 , at a known position. This method would have 
worked before, too, but in the fall of 1938, there was no choice but to go to the 
trouble of much more work. The Poles therefore thought of mechanization. 
Rejewski ordered in October 1938 six machines from the factory Wytornia 
Radiotechniza AVA (Ing. Antoni Palluth), each one simulating one of the six 


27 While the double encipherment of each message setting was discontinued by May 1,1940 
for the service ENIGMAs, it was reintroduced for the Navy key net ,Siid‘ around August 
1941 and was still employed in January 1944—‘an astonishing blunder’ (Ralph Erskine). 
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hpl +3 

Fig. 174. Abstract function of a Polish bomba (October 1938) 


rotor orders, and tested in parallel on them the 17 576 positions of the rotor 
core (in B.P. called ‘rod-positions’), which needed at most 110 minutes. 

The ‘right’ ring setting on the rotor core was found using the 1-cycles in the 
following way. The machine was built from three pairs of ENIGMA rotor sets. 
In each pair the rod-positions of all rotors were shifted by three; the position 
of the rotor sets of the first pair was shifted by one against the position of 
the rotor sets of the second pair, which in turn was shifted by one against 
the position of the rotor sets of the third pair. 

As soon as there was enough material to provide three encrypted doubled 
indicators such that the same character appeared once in the first and the 
fourth, once in the second and the fifth, and once in the third and the sixth 
position—like the letter W in (the example goes back to Rejewski) 

rtj | WAH WIK 
clqx | DWJ MWR 
hpl j RAW KTW 

—and thus, as in Sect. 19.6.2.1, exhibited a 1-cycle (‘fixpoint’), a promising 
attack was possible (Fig. 174). The machine was started with the three initial 
settings rtj, clqx and hpl, and the common character W was input repeatedly 
as a test character until in each one of the three pairs the same character 
triple occurred twice, i.e., the pattern 123123 was found. Such a coincidence 
triggered a simple relay circuit to stop the whole machine, whose appearance 
led the Poles to call it the bomba 28 . Of course, sometimes there were mishits. 


28 According to Tadeusz Lisicki, it was originally named by Jerzy Rozycki after an ice-cream 
bombe. While they were eating it, the idea for the machine came to him and his friends. 
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If then the core position was revealed, a comparison of the encrypted dou¬ 
bled indicators with the encryptions produced by the ENIGMA replica re¬ 
constructed the ring setting and the cross-plugging. In this way, by end-1938, 
all signals of the day (later of the 8-hour shift) from one and the same key 
net (during the war there were up to 120 such key nets) could be decrypted. 
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abcdef ghi j kl mnopqrst uvwxyz ( Rm) 

Fig. 175. Zygalski sheet for rotor order IV-I-III, ( R L ) = k ; holes show 

possible 1 -cycles (fixpoints) of P 1 P 4 for basic wheel setting ( Rl)(Rm)(Rn) 


The bomba was sensitive to cross-pluggings, and the method worked only 
if the test character (in the example above the letter w) was ‘unplugged’. 
The likelihood for this to happen was around 50%, as long as five to eight 
plugs were used. If three different fixpoints had been allowed, as the British 
originally had in mind, the likelihood would have dropped to 12.5%. 

19.6.3.5 For overcoming the difficulties, another kind of mechanizing was 
developed in autumn 1938 by Henryk Zygalski (1908-1978), namely a ‘punch 
card catalog’ for determining the Tagesschliissel from about ten to twelve (ar¬ 
bitrary) fixpoints. For the six rotor orders it was calculated for P 1 P 4 , P 2 P 5 
or P 3 P 6 , whether for a wheel setting ( Rl)(Rm){Rn ) of the rotors Rl, Rm, 
Rn some fixpoint is possible at all. For each one of the 26 letters (Pl) this 
was recorded in a (Pm)x(Pat) matrix by (Fig. 175) a punched hole (‘ female ’); 
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between 30% and 50% of the squares on a sheet contained holes. To allow full 
overlay, sheets of 51x51 fields, made by horizontal and vertical duplication, 
were used. By superimposing the sheets aligned according to their wheel set¬ 
ting (Rm)(Rn), the core position was determined, as a rule uniquely as soon 
as about ten to twelve fixpoints were available. Most important, the method 
was insensitive to the cross-plugging used and was still useful when ten plugs 
were used after August 19,1939—as long as the double encipherment lasted. 
The Zygalski sheets had the drawback that a different sheet was needed for 
each rotor order, their number grew rapidly: from 3! = 6 as long as three 
wheels were in use to 5!/2! = 60 as soon as five wheels came into use and 
even to 8!/5! = 336 when for the Navy ENIGMA eight wheels were available. 
Therefore, when the Germans introduced December 15, 1938 the fourth and 
fifth rotor, the Poles were helpless for quite a while. 

19.6.3.6 The Germans had always tried by suitable encryption security 
not to become victims of a Kerckhoffs superimposition, and finally became 
victims of a trivial weakness, the doubling of the indicator. 

19.6.4 British-Polish cooperation I. In a meeting on January 9-10,1939 
in Paris, the Polish Lieutenant Colonel Gwido Langer (1894-1948) supple¬ 
mented his French connections by contacts with his British colleagues. With 
an increasing danger of war, a a closer cooperation was necessary. The result 
was a meeting on July 24-25,1939 in Warsaw of Alfred Dillwyn Knox, the 
leading British cryptanalyst in the Foreign Office (he died February 27,1943 
from stomach cancer), his boss Alastair G. Denniston (1881-1961), the head of 
the Government Code and Cypher School (G.C. &C.S.) and the mysterious 
‘Mr. Sandwich’ (Commander Humphrey Sandwith) with the French Comman¬ 
dant Gustave Bertrand and Capitaine Henri Braquenie, and with the Pol¬ 
ish side, represented by Ci§zki, Langer, and the Grand Chef Colonel Stefan 
Mayer. Rejewski, Rbzycki, and Zygalski proudly presented all their results 
in Pyry, to the south of Warsaw. At this occasion, the French as well as the 
British were promised Polish replicas of the ENIGMA with all its five rotors, 
the one for B.P. was handed over in the diplomatic pouch by then Major 
Bertrand to General Menzies, in London on August 16,1939—just in time. 
Since the crisis that led to the Munich Conference of September 1938 the 
British had looked for somewhere to evacuate their cryptological service, to 
insiders known as ‘Room 47’ of the Foreign Office, that worked from the 
address 56 Broadway (Whitehall), Westminster. They found it in Bletchley 
Park (B.P. for short, radio codename and also cover name ‘Station X’), geo¬ 
graphically well located about fifty miles north of London. Before war broke 
out in 1939, the G.C. & C.S. was established there and reinforced. Among its 
many duties was decryption of the ENIGMA, and the group around Knox 
proposal of punched sheets (Zygalski sheets) which they called ‘canvasses’. 
John Jeffreys (dec. May 1940) supervised their preparation; they were ready 
in January 1940. However, for the bomba idea a development was necessary 
in B.P. in order to cope with now sixty instead of formerly six rotor orders. 
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Oliver Strachey 29 had several times arranged contacts between the young 
Alan Mathison Turing, who already had a reputation as a logician and had 
been interested since childhood in cryptology, and the G.C. & C.S. The head 
of the cryptanalytic service, Knox, was a classics scholar, who in 1915 had 
preferred Room 40 of the Admiralty to a Fellowship at King’s College in 
Cambridge, and already had experience with the commercial ENIGMA used 
by the Italians. On September 4, 1939, the second day of the Second World 
War, Turing reported to B.P. He worked on a further development of the 
Polish bomba and was later joined in this by Gordon Welchman (1906-1985), 
who also had arrived September 4 . Turing had experience with relay circuitry 
(Sect. 5.7.3) and thus was not merely theoretically interested in cryptology. 
His contacts with G.C. &C.S. may have reached back to 1936. 

Around January 24, 1940, B.P. for the first time broke an ENIGMA key, the 
key RED for January 6 of the carelessly transmitting Luftwaffe , and contin¬ 
ued to do so, using Zygalski sheets made in the Cottage in Bletchley Park. 

19.6.4.1 Informed after Pyry about the “Forty Weepy” results, Alan Turing 
started in September 1939 where the Polish had left off in May 1937. Turing 
has described this in his typewritten treatise (‘Prof’s book’) probably writ¬ 
ten in 1940. He starts with four messages from May 5, 1937 with 8-letter 
indicators, and 3-letter message settings already decrypted by B.S.-4, 


K F J X EWTW P C V 

S Y LG EWU F B Z V 

J MHO UVQG MEM 

JMFE FEVC MYK 


and says: “The repetition of the EW [in the first two lines] combined with 
the repetition of the V suggests that the fifth and sixth letters describe the 
third letter of the window position [message setting], and similarly one is led 
to believe that the first two letters of the indicator represent the first letter 
of the window position, and that the third and fourth represent the second. 
Presumably this effect is somehow produced by means of a table of bigramme 
equivalents of letters, but it cannot be done simply by replacing the letters of 
the window position with one of their bigramme equivalents, and then putting 
in a dummy bigramme, for in this case the window position corresponding 
to JMFE FEVC would have to be say M Y Y instead of M Y K. 
Probably some encipherment is involved somewhere.” 

Therefore, Turing waited for a more complicated procedure, “the two most 
natural alternatives” being 

1) encoding the letters of the message setting by bigrams and enciphering 
the result at the basic wheel setting (Grundstellung) , or 


29 Oliver Strachey (1874-1960), husband of the feminist Ray Strachey, father of the com¬ 
puter scientist Christopher Strachey, and brother of the writer Lytton Strachey, replaced 
in 1941 in the Canadian cryptanalytical services (‘Examination Unit’) the former US 
Major Herbert Osborne Yardley, who had fallen into disgrace in the United States. 
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2) enciphering the message setting at the basic wheel setting ( Grundstellung ) 
and encoding the letters of the result by bigrams. 


Turing thinks that “The second of these alternatives was made far more 
probable by the following indicators [and message settings] occurring on the 
2nd May 


E XD P 
X X E X 
RO XX 


I V J o 
J X J Y 
J L W A 


VO P 
VUE 
NUM 


With this second alternative we can deduce from the first two indicators that 
the bigrammes E X and X X have the same value, and this is confirmed from 
the second and third [indicators] where E X and X X occur in the second 
position instead of the first.” Turing’s guesses were supported when the mes¬ 
sage settings VOP, VUE, NUM were decoded using the basic wheel set¬ 
ting obtained from the AFA messages. The problem of the Navy indicator 
system was fundamentally solved by the end of 1939. However, without 
knowing the bigram tables used, no further progress could be expected. 


Turing decided early in 1940 to analyze German Navy signals that had been 
intercepted in November 1938, when only 6 steckers were in use and hand 
methods attacking cribs were possible. In particular, interrogation in Nov. 
1939 of a prisoner of war, Funkmaat Meyer, disclosed that the German Navy 
now used spelling for numerals, so, for example, /fort_zwo_clrei_drei_nul/. 
Thus, the ‘Forty Weepy’ method gave cribs. Alan Turing, Peter Twinn and 
two ‘girls’, as Turing calls them, started an attack, using an EINS catalogue 
(see Sect. 14.6), on the November 28,1938 traffic. After a fortnight of work, 
this day was broken and five others between November 24 and 29 came out 
on the same rotor order. The rotor order and Ringstellung seemed to remain 
constant for about a week; the number of steckers was still 6, moreover the 
same letter was never steckered on two consecutive days—a grave mistake. 
Reconstructing the bigram table was at that moment only partly possible and 
the only hope was oriented towards a ‘pinch’. It actually happened April 26, 
1940, when the German Q-boat Polares (Schiff26) was seized off Alesund, 
giving steckering and message setting for April 23 and 24, operator logs giving 
cribs for April 25 and 26 traffic, and, most important, exact details of the 
method of working of the indicator system, confirming Turing’s discoveries. 


The method as such is outlined in Sect. 4.1.3. It uses two trigrams picked 
from a book (the K-book, ‘ Kenngruppenbuch')\ while the first one (‘ Schliissel- 
kenngruppe\ key net indicator), say CIV, had no immediate cryptological 
importance, the second one ( 1 Verfahrenkenngruppe ’), say TOD, when de¬ 
crypted with the Grundstellung , gave the message setting to be used by the 
sender and by the recipient. Thus, the Verfahrenkenngruppe can be called 
‘encrypted message setting’. The basis for the bigram substitution was now, 
with two dummies, the grouping 

* C I V Q C I V 

TOD* TODX 
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Using the cribs the Alesund pinch had produced, further entries in the bigram 
table were within reach. In small steps, some progress was made during 
1940, using suspicions that in June the bigram tables had changed. The sig¬ 
nals of May 8 turned out to be particularly obstinate, and only in November 
an old hand, Hugh Foss, solved them, together with its paired day, May 7. 
Later still, the signals of June 27 were broken—no change in the bigram tables 
had happened. It happened nonetheless on July 1,1940. In February 1941, 
the traffic of April 28 was broken on a crib, using a BOMBE for 336 rotor or¬ 
ders in succession. Shortly after, a planned raid, the Lofoten pinch of the 
trawler Krebs, ended the period of misery and started a rich flow of decrypts 
of the Naval ENIGMAs produced by a choir of crib runs on BOMBEs, EINS- 
ing (Sect. 14.6), and in particular the Banburismus procedure (Sect. 19.4.2). 

19.6.4.2 When in mid-January 1940 Turing met Rejewski, who had fled to 
France, in Gretz-Armainvilliers, north of Paris, he was, according to Rejew¬ 
ski, very interested in the Polish ideas for defeating the cross-plugging. By 
then, he had arrived at his own ideas (see Sect. 19.7), but of course he could 
not mention how far he had come. It was only natural that Turing tried to 
improve the Polish bomby to make them insensitive to cross-plugging like the 
Zygalski sheets. The British, like the Poles, were afraid that with fewer and 
fewer self-steckered letters their methods would soon become useless. Thus, 
Turing wanted to get rid of the restriction to ‘self-steckered’ letters. 

He wanted late in 1939, as Joan Murray nee Clarke remem¬ 
bers the argument, to test all 26 letters in parallel to see 
what output they would have; this would allow a ‘simul¬ 
taneous scanning’ of all 26 possibilities of the test letter. 

Thus, Turing thought of replacing the Scherbius rotors by 
‘Turing rotors’, each one having both on the entry side 
and exit side two concentric rings of contacts—one for the 
journey towards the reflector, one for the return journey— both mimicking 
the same ENIGMA rotor. Likewise, the reflector would have two rings of 
contacts. This modification would have input and output by 26 wires in par¬ 
allel, and result in a double-ended scrambler (Welchman, US parlance ‘com¬ 
mutator’), really representing a classical ENIGMA substitution Pi = StUSif 1 
for i = 1... 26 3 . In accordance with its self-reciprocal character, the scram¬ 
bler had to be input-output symmetrical; this was provided for by a symmet¬ 
ric wiring between the contacts of the inner and outer rings of the reflector. 



Fig. 176. Hypothetical Turing version of the Polish bomba (with ‘simultaneous 
scanning’). Diagram of one of the three feedback cycles of length 2 
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In this Turing version, the Polish bomba amounted to three closed cycles, 
each built from two double-ended scramblers; one such cycle is shown in 
Figure 176. Turing had thus managed to strip off the superencryption by 
the cross-plugging mechanically. And he recognized that the 1-cycles, the said 
females of the Zygalski sheets, being natural fixpoints of a mapping, could be 
determined by an iterative feedback process, which normally diverged and 
thus indicated that the rotor positions in question did not allow a fixpoint; 
if it did not diverge, it gave the fixpoint. The logician Turing, familiar with 
the reductio ad absurdum, thus turned to the general principle of feedback. 

Technically, the distinction between the divergent and the non-divergent case 
was made by a ‘test register’ attached to the 26-line bus of the feedback (in 
Fig. 176 from #4 to #1). Voltage is applied to the wire belonging to the test 
letter (w in our example). In the divergent case all light bulbs of the test 
register light. In the non-divergent case the feedback cycle of the fixpoint is 
electrically isolated from the remaining wiring; correspondingly either exactly 
one light bulb (the one belonging to w) is lit, or all light bulbs but this one 
are, depending on whether the cross-plugging was correctly chosen or not. 

A battery of double-ended scramblers was to be moved simultaneously. Thus 
Turing could have simulated a Polish bomba. But he wanted more and the 
actual development took a different, much more general path (Sect. 19.7). 

In the last quarter of 1939, Turing’s design had progressed far enough that 
Bletchley Park was allowed to ask the British Tabulating Machine Company 
in Letchworth to build a machine, which was also called BOMBE. Harold 
‘Doc’ Keen, with a crew of twelve people, finished it by March 1940. Later, 
Keen was equally successful in building the 4-rotor-BOMBE MAMMOTH. 

Welchman, by the way, late in 1939 when he was still a novice, arrived inde¬ 
pendently at similar conclusions, although at first he was not involved in the 
ENIGMA decryption by machines. He also reinvented the Zygalski sheets, 
not knowing that John Jeffreys in another building already had a production 
line going. Likewise, he did not know of Turing’s ideas, but this was intended. 

19 . 6 . 4.3 Turing may have already thought before the Pyry meeting of mak¬ 
ing use of probable words to break into ENIGMA. After this meeting, having 
heard about the bomba , he turned his thoughts to mechanizing his method. 
The major advantage with the device Turing had in mind was that it not 
only found the rotor order, like the Zygalski sheet, but it also found at least 
one stecker. “It was he who first formulated the principle of mechanizing a 
search for logical consistency based on a probable word ” (Andrew Hodges). 

Turing’s ideas and precautions were guided by Knox’s remark at Pyry that 
the Germans could again change their encryption procedure and give up the 
indicator doubling. Then, having learned in the meantime from decryptions 
a lot on the habits and styles of the Germans, the British hoped to be able to 
produce the necessary feedbacks efficiently with probable words the Germans 
used so plentifully: /wettervorhersage biskaya/, /wettervorhersage deutsche 
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bucht/ etc., or /obersturmbannfiihrer/, obergruppenfiihrer/ etc., or /keine 
besonderen ereignisse/. Thus, B.P. was prepared when on May 1, 1940, 
shortly before the campaign in France, the next change came: Heer and 
Luftwaffe dropped the indicator doubling and put Zygalski sheets out of ac¬ 
tion; the Polish bomba would have been useless. (The Kriegsmarine superen- 
crypted the message indicator with a bigram substitution, see Sect. 4.1.2). 
The Turing BOMBE prototype ‘Victory’ entered service on March 14. Start¬ 
ing August 8, 1940, improved versions followed, nicknamed ‘Agnes’, ‘Jumbo’, 
‘Ming’. [More about the mode of operation in Sect. 19.7 .] Moreover, Turing 
had designed the BOMBE in a way that allowed universal working. 

If, however, the probable word method would not work or if not enough 
BOMBEs were available, there was still the fundamental possibility of an 
alignment ‘in depth’ for superimposition (Sect. 19.3), and the Banburismus 
procedure, performed to reduce the number of rotor orders to be tested. 

19.6.5 France II. Rejewski, Zygalski and Rbzycki, escaping the Polish dis¬ 
aster, fled via Rumania to France. End of September 1939, they joined the 
French radio intelligence group under Commandant Bertrand (‘Barsac’) in 
the Chateau de Vignolles near Gretz-Armainvilliers (cover name Poste de 
Commandement Bruno), 30 miles southeast of Paris. Starting January 3, 
1939, when the British liaison officer Capt. MacFarlane brought the first set, 
and carried on until the German attack (‘Fall GelV ) on France in May 1940, 
‘Group Z’ worked with Zygalski sheets provided by Bletchley Park, and solved 
mainly German Army administration signals (key net GREEN), nearly the 
same number as B.P.: on January 17,1940 the messages of October 28,1939, 
on January 28,1940 those of September 3,1939); later, more important, Luft¬ 
waffe signals (key net RED), and finally, after the Norway invasion, the sig¬ 
nals of Fliegerfiihrer Trondheim (key net YELLOW: starting April 10,1940). 

On the British side, the first success concerned the GREEN key of October 25, 
1939, broken around January 17,1940 and the RED key of January 6,1940, 
broken around January 25,1940. Communication between B.P. and Bruno 
was well established, by April 1940 even a direct teletype line was operating. 
After the collapse of France, P. C. Bruno was first transferred on June 24,1940 
to Oran in Algeria, then in October 1940 transferred back to the Chateau des 
Fouzes near Uzes (cover name ‘Cadix’) in the unoccupied part of France. 
Since the Zygalski sheets had become useless by May 1,1940, the Poles and 
British had to rely for a while on cillies and Herivel tips (Sect. 19.7). The Pol¬ 
ish unit under Lieutenant-Colonel Gwido Langer, named ‘Expositur 3000’ by 
the British, was evacuated November 9,1942, after the landing of the Allies 
in North Africa and the German occupation of the rest of France; Rejewski 
and Zygalski were imprisoned for a while in Spain and reached London via 
Gibraltar on August 3,1943. They continued under Major Lisicki from the 
Polish General Staff with cryptanalytic work on hand ciphers ( Doppelwiirfel- 
verfahren)', however, they were kept at Stanmore, away from Bletchley Park 
with the Turing-Welchman BOMBEs and the COLOSSUS machines. 
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19.7 Plaintext-Cryptotext Compromise: Feedback Cycles 

On May 1,1940 the ENIGMA system was practically open for the British. 
A probable word attack, a plaintext-cryptotext compromise, would profit 
from the sharpness of the Turing (and Welchman) feedback idea pursued since 
1939. And Turing had designed the British BOMBE in a way that allowed 
this. Thus, a method was resumed that Rejewski had used in 1932 (see 
Sect. 19.6.2.6). So, systematically, this chapter belongs at the end of Chap. 14. 

The British had to prepare the menu day by day, and they found enough 
cribs to do so. Meanwhile, they were helped by continuing violations of 
even the simplest rules of cryptosecurity on the German side. John Herivel 
observed in May 1940 that for the first signal of the day the wheel setting 
was frequently very close to (if it did not actually coincide with) the position 
of the wheels for the ring setting of the day (‘Herivel tip’). Moreover, the 
use of stereotyped indicators continued, which the British placed under the 
heading ‘cillies’ 30 . There was also the abuse of taking the basic wheel setting 
as the indicator, called JABJAB by its discoverer Dennis Babbage. When 
the German supervisors finally reacted, the damage was already irreparable. 

Cryptosecurity discipline was lowest in the Air Force of the pompous parvenu 
Goring. From May 26,1940 on, before the Turing-Welchman BOMBE was 
working, mathematicians and linguists in B.P. regularly managed to read the 
ENIGMA signals of the Luftwaffe (key net RED), while for the signals of the 
Kriegsmarine (keynet DOLPHIN, ‘Heimische Gewasser’, later ‘Hydra) they 
had to wait until June 1941 before they had mastered the bigram superen- 
cryption of the message keys. In December 1940, they succeeded in breaking 
into the radio signals of the SS (key net ORANGE). From September 1942 on, 
Field Marshal Rommel’s ENIGMA traffic with Berlin (net CHAFFINCH) was 
no longer secure, and from mid-1942 on the British achieved deep and lasting 
breaks, above all in the heavy Luftwaffe traffic (key net WASP of Fliegerkorps 
IX, GADFLY of Fliegerkorps X, HORNET of Fliegerkorps IV, SCORPION 
of Fliegerfiihrer Afrika). Most obstinate, to British judgement, was the radio 
communication of the German Heer, which was a consequence of the solid 
training of the operators. Before the spring of 1942, no ENIGMA traffic line 
of the Heer except one, VULTURE I in Russia (June 1941), was broken. 

19.7.1 Turing BOMBE. In the general probable word attack, Turing 
(and in parallel Welchman) used instead of the three isolated, two-fold cy¬ 
cles of the bomba a whole system of feedback cycles formed by a battery of 
first 10 and later 12 double-ended scramblers. Such feedback cycle systems, 
which are independent of the steckering , are obtained from a juxtaposition 
of a probable word and a fragment of the cryptotext. Fortunately, for long 


30 Singular: cilli. Sometimes interpreted‘sillies’. Welchman, 1982: ‘I have no idea how the 
term [sillies] arose’. Budiansky: abbreviated name of the girlfriend of a German wireless 
operator. Sebag-Montefiore: the word comes from CIL, which was the first message 
setting worked out in this way. None of these explanations is convincing. 
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enough probable words the non-coincidence exhaustion method (Sect. 14.1) 
allows one to exclude many juxtapositions; furthermore conspicuous probable 
words are often at the beginning or the end of the message (unless Russian 
copulation has been used). Therefore, it is not unrealistic to establish a new 
feedback cycle system for every new juxtaposition; there are not too many. 
The following example 31 goes back to C. A.Deavours and L.Kruh. Let 
OVRLJ BZMGE RFEWM LKMTA WXTSW VUINZ GYOLY FMKMS GOFTU EIU... 

be the cryptotext and /oberkommandoderwehrmacht/ the probable word. 
The third leftmost position not excluded by non-coincidence gives the ‘crib’ 
# 1 4 5 7 8 9 11 12 13 14 15 17 19 24 

o b e r kommandode r w e h r m a c h t 
OVRLJ BZMGE RFEWMLKMTAWXTSWVUI NZ 

with 10 letters AVEK.A407ZSWZ connected by 14 transitions 
(note: calligraphic letters like £ stand for both e and E). 

The 13 different pairings of plaintext and cryptotext letter can be compressed 
into a directed graph with ten nodes and 13 edges, shown in Fig. 177. The 
graph contains one true cycle (sam). The self-reciprocal character of the 
double-ended scramblers, reflected in the symmetric electrical connection of 
their inputs and outputs, means a transition to an undirected graph. From 
this graph, a subgraph may be selected, in jargon a ‘menu’—for our example 
the graph with eight nodes and ten transitions shown in Fig. 178 at the upper 
right corner. Each cycle (in Turing’s parlance ‘closure’) in this subgraph 
establishes a feedback in the Turing BOMBE setup. A menu with six letters 
and four cycles is of course more lucrative than one with twelve letters and 
one cycle: it reduces the danger of mishits. 

Corresponding to such a subgraph with ten transitions, ten double-ended 
scramblers are now connected (with 26-line buses) and a test register is con¬ 
nected, say at £ (Fig. 178). To some entry, say e, voltage is applied. 



Fig. 177. Plaintext letter/cryptotext letter pairings for juxtaposition (‘crib’), 
True cycle (M£A), (#14, #9, #7) 


31 Rotor order IV I H, reflector B, cross-plugging (VO)(WJ\f)(C7Z)(Ty)('PJ')(QT ). 
Ring setting AAA (000), message setting tgb . 
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Fig. 178. Turing BOMBE setup for feedback cycle system of Fig. 177 


The positions 14, 9, 7 form a cycle (‘closure’): denoting the internal con¬ 
tacts with a,b,c,.. .y,z , the cross-plugging with T , and the substitution 
performed by scrambler with Pj, we obtain the relations 

eT = mTPj , mT = ciTPg , aT = eTPi 4 , or eT = eTPi^PgPj . 
Thus, eT is a fixpoint of P 14 P 9 P 7 . 

But the positions 4 , 15, 8 , 7 form also a cycle: at first we have the relations 
eT = rTP /4 , wT = rTPi 5 , wT = mTP 8 , eT = mTP 7 ; 
since the scrambler substitutions are self-reciprocal, we obtain 
eT = mTP 7 , mT = wTP s , wT = rPPi 5 , rT = eTP 4 , or 
eT = eTP 4 Pir } P 8 P 7 . Thus, eT is also a fixpoint of P 4 P 15 P 8 P 7 • 

Moreover, the positions 4, 5, 11, 13, 17 form a cycle: using again that the 
scrambler substitutions are self-reciprocal, we obtain the relations 

eT =rTP 4 , rT = kTP§ , kT = dTPu , dT = tTPig , tT — eTP \ 7 . 
Thus, eT is even a fixpoint of P 17 P 13 P 11 P 5 P 4 . 
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Assume that the position of the scramblers is not the ‘right’ one. Then (nor¬ 
mally, i.e., if enough cycles exist) the voltage spreads over the total system 
and all the test register light bulbs are lit. A relay circuit discovers this 
divergent case and moves the scramblers on to the next position. 

Now assume that the position of the scramblers is the ‘right’ one, i.e., the one 
used for encryption (such that the scrambler #4 maps rT=/ r/ into eT=E). 
Then there are two subcases. If the cross-plugging is correctly chosen, i.e., 
the entry e to which voltage is applied is indeed /e/, then the voltage does 
not spread, and apart from the light bulb belonging to e no lamp is lit. If, 
however, the cross-plugging is not correctly chosen, then the voltage (nor¬ 
mally, i.e., if enough cycles exist) spreads over the whole remaining system 
and all lamps are lit except one, which indicates the cross-plugging. In both 
of these convergent subcases, the machine setting and the light bulb indi¬ 
cation can be noted down. The scrambler position determines the correct 
position of the rotor core. It can be a mishit. This can be quickly decided 
by using the resulting setting to try to decrypt the surrounding text. 

The possibility of Turing’s feedback cycle attack was totally overlooked by the 
young Gisbert Hasenjager (b. June 1,1919), responsible for the security of the 
ENIGMA in the OKW Cipher Branch, Referat IVa, Security of Own Ciphers 
(Karl Stein, 1913-2000), founded in 1942. This attack, as was shown above, is 
strongly supported by the properly self-reciprocal character of the ENIGMA 
(using KORN encryption steps); however, it would also work in principle for 
non-selfreciprocal double-ended scramblers, although such cycles occur much 
less frequently. For example, the only true cycle in Fig. 177 is the cycle 
7 9 14 

m a e 

EM A 

and very long probable words would be needed to make the attack succeed, 
or a larger menu would be needed. For example, in the feedback cycle system 
of Fig. 177, the crib would allow one to adjoin a node U connected with A , or 
a node V connected with A4, or a few more. There is, compared to Fig. 178, 
even one cycle more in the example: from T over iJ, 0, A4, £ to T. But this 
would increase from 10 to 13 the number of scramblers needed in the setup. 

19.7.2 Turing—Welchman BOMBE. Gordon Welchman (1906-1985) 
improved the Turing feedback cycle attack quite decisively by taking all rela¬ 
tions effected by the self-reciprocal character of the typical ENIGMA cross¬ 
plugging explicitly into account. Whenever Turing’s BOMBE stopped, the 
nodes like A , V, £, K. and so on were assigned certain internal contacts. 

Fig. 179 shows such a halting configuration, with two ‘self-steckered’ inter¬ 
pretations A-a, £-e and two interpretations V-t and T-d indicating a cross¬ 
plugging (TV). But the two interpretations W-m and M-x contradict the 
self-reciprocal character of the cross-plugging. The BOMBE should not have 
halted in such a configuration; the contradiction found by this reasoning 
should have caused divergence inside the BOMBE’s electrical wiring. 




Fig. 180. Welchman BOMBE setup for feedback cycle system of Fig. 177 
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Welchman found in November 1939 a simple electrical realization of such 
a ‘forming the reflexive hull with respect to cross-plugging’, the ‘diagonal 
board’ shown in Figure 180. Its functioning is explained in Figure 181: 
Assume eT = dT P 11 P 5 P 4 . The bold overlay in the wiring shows how the 
electrical connection made by the scramblers from e in bus £ to d in bus T> is 
supplemented by the diagonal board with a fixed electrical connection from 
d in bus £ to e in bus V . 



Fig. 181. Functioning of the ‘diagonal board’ of Welchman for the example of Fig. 177 

With Welchman’s improvement, Turing’s feedback cycle attack attained its 
full power and the efficiency of the BOMBE increased dramatically: fewer 
cycles were needed to fill the test register. This not only helped to save 
scramblers, it also allowed shorter cribs and thus increased the chance that 
the middle rotor remained at rest. So Welchman is the true hero of the 
BOMBE story in Bletchley Park. Devours and Kruh (1985) formulated it in 
a way that may console Hasenjager: 

“It is doubtful that anyone else would have thought of Welchman’s idea 
because most persons, including Turing, were initially incredulous when 
Welchman explained his concept.” 
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19.7.3 More BOMBEs. People in Bletchley Park who called the ag¬ 
gregate of scramblers together with the test register and the diagonal board 
a ‘bomb’ were not made aware of the Polish origin of the name and idea. 
‘Agnes’ 32 , the first Turing-Welchman production BOMBE after the proto¬ 
type ‘Victory’, (which did not yet have a diagonal board) was ready by mid- 
August 1940; a ‘bomb run’ needed 17 minutes for a complete exhaustion 
of one rotor order. In the spring of 1941 (‘Ming’: end of May 1941) there 
were 8 BOMBEs at work, and 12 towards the end of the year, built by the 
British Tabulating Machine Company in Letchworth. The number increased 
rapidly to 30 in August 1942, 60 in March 1943, and about 200 at the end 
of the Second World War. B.P. cracked tens of thousands of German mili¬ 
tary messages a month. At the Eastcote outstation, operated by the 6812th 
Signal Security Detachment, US Army, there were 10 bombes in operation: 
ATLANTA (Fig. 182), BOSTON, CHICAGO, HOUSTON, MINNEAPOLIS, 
NEW YORK, OMAHA, PHILADELPHIA, ROCHESTER, and SAN FRAN¬ 
CISCO. Other outstations were located in Adstock, Gayhurst, and Stanmore. 

Fourteen BOMBEs, called ‘Jumbo’, had an attachment (called a ‘machine 
gun’) to resume work when a stop occurred and a contradiction of the steckers 
was found. Some dubbed ‘Funf’ were directed against the Abwehr ENIGMA. 

However, running the bombe on naval ENIGMA needed in the worst case 336 
wheel orders to be checked, against 60 for the Air Force and Army ENIGMA. 
Such a complete run would take at least about 96 hours (4 days), and Hut 
8 , working against the Naval ENIGMA, was short of bombe time in 1942. 

In the USA, both Army and Navy developed high-speed versions of the 
BOMBE that were in service for a few years after the end of the war. 

The X-68 003 of the US Army (SIS), a genuine relay machine constructed by 
Samuel B. Williams from Western Electric/Bell Labs, in operation since Oc¬ 
tober 1943 and equipped with 144 double-ended scramblers, became known? 3 
as MADAME X; using stepping switches it allowed a quick change of the 
crib. The simulation of scramblers by relays was slow, but avoided rotating 
masses. Developed with the help of Bell Laboratories, it was directed against 
3-rotor ENIGMAs, and was unwieldy against the 4-rotor ENIGMAs of the 
Kriegsmarine. Only one MADAME X was actually built, it corresponded in 
power to six or eight British BOMBEs. Design and construction cost a mil¬ 
lion dollars which was not thought cost-effective compared with the Navy’s 
BOMBEs. 

19.7.4 4-rotor BOMBEs. For the US Navy Op-20-G, Joseph Desch at 
NCR, who had experience with rapid circuitry for elementary particle coun¬ 
ters and thus a reputation in electronics, accepted in September 1942 the 
ambitious commission to build 350 BOMBEs, each one several times larger 


32 Turing had dubbed it originally ‘Agnus Dei’. 

33 It is unclear whether the name is an allusion to Agnes Driscoll nee Meyer, the brave fight¬ 
er for pure cryptanalysis (Sect. 17.3.4), who was referred to in Op-20-G as ‘Madam X’. 
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Fig. 182. British BOMBE ‘Atlanta’ (standard model) in Eastcote. 

36 scramblers, a scrambler being formed by three vertically adjacent rotors 



Fig. 183. US Navy BOMBE for 4-Rotor-ENIGMA. 

16 scramblers, a scrambler being formed by four vertically adjacent rotors 
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than the Turing-Welchman BOMBE. Moreover, it was expected to have these 
machines operating by the spring of 1943. Desch and his group “thought 
that American technology and mass production methods could work mir¬ 
acles” (Burke). Desch, however, rejected the request by Joseph N. Wenger 
to build an electronic version: “An electronic BOMBE was an impossibil¬ 
ity.” He was wise: for a ‘super-BOMBE’ he had calculated 20 000 tubes, 
while the British needed only about 2000 tubes for COLOSSUS. 

The British could do no more than help the Navy of their ally. Howard Eng- 
strom had sent Joseph Eachus in July 1942 to Bletchley Park. Turing traveled 
November 7-13, 1942 on the Queen Elizabeth over the Atlantic Ocean and 
departed again from New York harbor on the night of March 23, 1943 on the 
troop carrier Empress of Scotland to arrive with luck in a British harbor on 
March 29. He made good use of the four months in the USA, meeting also 
Claude Elwoocl Shannon at Bell Labs while doing work on voice scrambling. 
Turing found Op-20-G well budgeted for money and the most able people, but 
security measures tighter than those for the Atomic Bomb project prevented a 
deeper contact. NCR in Dayton, Ohio provided the setting for the BOMBEs. 
Despite the efforts of Eachus, it took longer than expected, and by the spring 
of 1943 only two prototypes, ADAM and EVE, were halfway ready. Franklin 
Delano Roosevelt himself gave the project support and impetus. Turing was 
in February 1943 also shown the buildup of the Army Bombe X-68 003. 
Meanwhile, the situation in the Atlantic improved for the Allies, mainly 
thanks to B.P. decryptions. Desch had particular problems with fast spin¬ 
ning electromechanical scramblers with brush contacts. In mid-June 1943 
it was hoped to overcome the difficulties soon. When on July 26,1943, 13 
production models did not function at all, it looked like the whole project 
would be killed. 

But Desch did not give up. The mechanical difficulties were surmounted 
step by step and reliability increased. In September 1943, the first ma¬ 
chines built by NCR were sent from Dayton to Washington, where they 
were to start work. By mid-November 50 BOMBEs were in operation, alto¬ 
gether 125 were built. In 1944, success was certain, although it took slight¬ 
ly longer than optimistically projected and cost almost three times as much 
as planned, but after all a Desch BOMBE N-530,N-1530 (the project was so 
secret that the machine did not even have a name) cost only $ 45 000. 
Britain did not have the first of its very few 4-wheel bombes until early 
summer 1943. The US Navy 4-rotor BOMBE (Fig. 183) Desch had developed 
comprised 16 4-rotor scramblers and a Welchman diagonal board and was 
200 times faster than the Polish bomba , 20 times faster than the Turing- 
Welchman BOMBE (the specification had said 26 times faster). It was still 
30% faster than the 1943 British Bombe attachment WALRUS (‘COBRA’) 
directed against 4-rotor ENIGMAs of the Kriegsmarine. Op-20-G had caught 
up: by December 1943 the decryption of a ‘Triton’ ENIGMA signal took on 
average only 18 hours, compared to 600 in June 1943. In contrast to their 
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British cousins, they localized the scrambler positions and controlled the 
whole job by digital electronics with 1500 thyratrons (gas-filled tubes). The 
Desch BOMBEs proved to be so reliable that by the end of 1943 all work on 
the decryption of the ‘Triton’ key net of the German U-boats was assigned 
to the US Navy—a great step forward from the rivalries of mid-1942. 

The BR.USA pact Cooperation in Code/Cipher Matters of May 1943 between 
the USA and the UK, and for their navies in particular the Holden 34 Agree¬ 
ment of October 1942 “began to move the two nations towards a level of un¬ 
precedented cooperation” (Burke) in cryptanalysis. But some frictions and 
tensions remained. “It was not until the UKUSA agreement of 1946 that 
the two nations forged that unique relationship of trust that was maintained 
throughout the Cold War” (Burke). 

VIPER and PYTHON were American machines directed against the Japa¬ 
nese rotor cipher machines. They were built from relays and stepping swit¬ 
ches, and little by little equipped with electronic additions. 

Finally, towards the end of the war, the inevitable transition to truly elec¬ 
tronic machines was made: Op-20-G built RATTLER against Japan’s JN-157 
while SIS built in 1945 a successor to the relay-based AUTOSCRITCHER 
which was correspondingly called SUPERSCRITCHER 35 . Op-20-G also built 
DUENNA, which did not enter service until November 1944, and the British 
built GIANT, a contraption of four bombes linked together with common 
control—names that did not exist until recently in the open literature. All 
these machines were directed against cross-plugging and reflector plugging. 
Another subject Alan Turing approached in 1943, after his return from the 
USA, was speech encipherment. The design of DELILAH started in Sep¬ 
tember 1943, construction in June 1944; it was just finished by May 6,1945. 

19.7.4 The advent of computers. The idea of the universal stored-pro- 
gram computer, which had originated in mid-1940 with Eckert and Mauchly 
and had been elaborated by von Neumann and Goldstine, was pretty soon, al¬ 
though not publicly, influencing cryptanalysis with machines. James T. Pen¬ 
dergrass of Op-20-G, in a report submitted late in 1946 and kept Top Secret 
until 1993, strongly advocated the use of universal computers. It started in 
1948 with ABNER at SIS (a development that took four years) and the AT¬ 
LAS efforts going back to August 1947 at Op-20-G (supplementing those al¬ 
ready mentioned in Sects. 17.3.5 and 18.6.3). The National Security Agency, 
the ‘super’ authority, successor to both SIS and Op-20-G, gave great impact 
to the emerging computer field. Howard H. Campaigne, Samuel S. Snyder, 
and Erwin Tomash reported on the influence of US cryptological organiza¬ 
tions on the aspiring digital computer industry. Some former Navy reserve 

34 Carl F. Holden, Capt. US Navy, Director of Naval Communications. 

35 The expression ‘scritchmus’ comes from the jargon of Bletchley Park (“I cannot now 
recall what technique was nicknamed a scritchmus,” wrote Derek Taunt) and the method 
was developed by Dennis Babbage. For the origin see also Sect. 14.5. Ralph Erskine 
thinks ‘scritching’ comes from ‘scratching out contradictions’. 
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officers, Howard T. Engstrom, William C. Norris, and Ralph Meader founded 
a private company, Engineering Research Associates, Inc. (E.R.A.) early in 
1946; they were assisted by Charles B. Tompkins and John E. Howard and 
cooperated with Joseph Eachus and James T. Pendergrass of Op-20-G. They 
developed computers in close contact with the Navy. The milestone was 
Task 13, renamed ATLAS in 1948, delivered in December 1950. This led to 
a marketing of the computer ERA 1101 (announced in December 1951). Its 
successor (Task 29, code-named ATLAS H, completed in 1953) was marketed 
as ERA 1103 and was an immediate success. E.R.A. became a Remington 
Rand subsidiary in 1952. By 1954, Remington Rand enjoyed a strong sec¬ 
ond position in the market with the improved 1101A (and the UNIVAC H 
developed by the Eckert-Mauchly group). 

Their competitor IBM, the leader on the market, announced in 1951 the De¬ 
fense Calculator, renamed IBM 701 and marketed in 1953; the initial delivery 
of the 701 to a commercial buyer took place in April 1953, of the ATLAS II 
to the government in October 1953. IBM’s STRETCH developed from the 
N.S.A. HARVEST of 1962. 

In the 1970s, Seymour R. Cray (1925-1996), an electrical engineer who for¬ 
merly worked at E.R.A. under Engstrom, formed his own company and in 
1976 designed the CRAY-1. N.S.A. still partly relies on commercial manufac¬ 
turers. The sensitive circuitry of CRAY computers hides some of the crypt- 
analytic algorithms N.S.A. is relying upon. The Cold War in its present, 
miniature form has crept into the chips. 



20 Linear Basis Analysis 


It would not be an exaggeration to state 
that abstract cryptography is identical 
with abstract mathematics. 
A. Adrian Albert 1941 


20.1 Reduction of Linear Polygraphic Substitutions 


In favorable cases, a linear polygraphic substitution with an encryption width 
n can be reduced to an exhaustion of width n, namely if a decryption of a 
set of n frequently occurring crypto n-grams into a set of n plain n-grams 
can be guessed. This is sometimes easier than it looks at first sight, if a long 
enough probable word can be assumed that is met in n different phases. 


20.1.1 Example. To keep the computations verifiable, we limit ourselves 
to an example with n = 3. Given the cryptotext 

FDYSW IJXNZ NSNRE NHUWA WM I E I EXWSX 

ESIGQ JNTBD BWD P U . 

we assume that we have in the circumstances a linear polygraphic substitution 
of width 3 over the standard alphabet—possibly a second trial in a series 
of trials with increasing encryption width. The cryptotext then reads in 
trigrams over Z 26 

5 3 24 18 22 8 9 23 13 25 13 18 13 17 4 13 7 20 22 0 22 12 8 4 

8 4 23 22 18 23 4 18 8 6 16 9 13 19 1 3 1 22 3 15 20 . 

and we assume that the (boldface) trigrams 13 17 4 , 22 0 22 and 6 16 9 

appear quite frequently in the further cryptotext. In view of the very frequent 

occurence of /ation/ in English, French and German, we can try the conjec¬ 
ture that the three plaintext trigrams /ati/, /tio/ and /ion/ are involved; in 
which order remains to be seen. 


In Z 26 the plaintext trigrams are 0 19 8 , 19 8 14 and 8 14 13 . Therefore, 
the matrix X of the linear substitution is determined as follows, where P is 
a permutation matrix unknown at the moment: 


( 


0 

19 

8 


19 

8 \ i 

( 13 

17 

4 \ 

8 

14 \ X = P 

22 

0 

22 

14 

13/ 

V 6 

16 

9 / 
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There are six solutions in Z 26 for the 6 = 3! permutations. We can imagine 
that after trying two or three of them, we found the following 


19 

8 \ 

/ 22 

0 

22 \ 


12 

8 

17 

8 

14 \ X = 

6 

16 

9 

to give 

X= 8 

18 

24 

14 

13/ 

V 13 

17 

4 / 


V 13 

19 

14 


which seems to be the right path, since translated into the letter alphabet, 


/ M I R\ 

X=\ I S Y I comes from the‘reasonable’password MINISTRYO[F ]. 
\N T O) 

This confirms the solution in Rohrbach’s sense. 


20.1.2 A pitfall. But there is a complication. If we now try to decrypt 
the cryptotext, we might look for an inverse matrix X and surprisingly find 
there is none. In fact, the use of a ‘reasonable’ password does not guarantee 
that the encryption is injective, and X is not injective: the vector (0 13 0) 
is annihilated by X . This means, that even the authorized decryptor has the 
fun of looking for the ‘right’ solution: 


to 5 3 24 belong 8 0 5 = iaf and 8 13 5 = inf ; 

to 18 22 8 belong 14 4 12 = oem and 14 17 12 = orm and so on. 

The polyphone decryption is: 


i a f o c m 
n r 


1 e a 
r 


d v° 


d ; r 


s ? a 




* v 0 


1 o n 


n b 
n 


0 s n 


a f i 
o r 


o l a 


The correct plaintext is easily discovered: “inform direction of national radio 
station about our ... .” 


20.2 Reconstruction of the Key 

If a quasi-nonperiodic key of a polyalphabetic linear polygraphic substitution 
of width n is generated by iteration of a regular n x n matrix A over Z w , a 
swapping of roles between plaintext and keytext can be made. A probable 
word of length k, k > n 2 + n is shifted along the cryptotext and subtrac¬ 
ted in every position. What remains is in favorable cases a key fragment 
(sjf+i, Sm+ 2 , ■ ■ ■ SM+n 2 +n, SM+fc) of a length k > n 2 + n . The n equations 

{sm+1i Sm+ 2, ■ ■ ■ SM+n) A = (sM+n+l> SM+n+ 2 , ■ ■ ■ SM+2n) 

(^M+n+li SM+n+ 2? • ■ • S‘A4+2n) A — (sjvf+2n+l; ^M+2n+2i ■ • ■ ^Af+3n) 

(5A7+2n+l? SM-\-2n+2‘i • • • ^M+3ra) A — (sjvfp3n+l; ^M+3n+2i ■ • ■ ^Al-\-4n) 


(^M+n 2 —n+1 1 SM+n 2 —n+2t • • • $ M+n 2 ) A +n 2 +1? ^M+n 2 +2i • • • ^M+n 2 +n) 

in Zjy suffice to determine A ; for t>n 2 + nwe even have an overdetermined 
system of linear equations. 
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To give an example, the three pairs of numbers (1 0), (3 5), (23 22) are 
obtained from (1 0) by two iterations with a matrix A ; A is determined by 

(1 0)A=(3 5) and (3 5)A=(23 22); thus 5 ) A= (23 22 ) 

/3 5 \ ' ' ' ' 

and the result in Z 26 is A= ( 1 . 

If in the favorable case the position of the probable word fits, then the system 
can be solved, and for the overdetermined case some such systems are solvable 
and give a common solution, strongly indicating a correct solution. In the 
unfavorable case that the position of the probable word does not fit, the 
system or one of the systems may not be solvable. If it is accidentally solvable, 
then the keytext can be prolonged and subtracted from the crypto text, which 
as a rule produces nonsense text—indicating a flop. For a sufficiently long 
probable word, the key is normally completely revealed, and mishits should 
not occur. 


20.3 Reconstruction of a Linear Shift Register 


Linear shift registers in the wider sense fall as a special case under the kind of 
attack treated in Sect. 20.2 . In this case, the matrix A is an n x n companion 
matrix (Sect. 8.6.1), 


A = 


f° 


1 

0 


0 0 
0 0 
1 0 


0 a k \ 

0 afc-i 
0 Q-k -2 


I 0 0 0 ... 0 a 2 

VO 0 0 ... 1 ai / 


If a key is generated by iteration with such annxn companion matrix, then 
a fragment of length 2 n of the key text suffices to reconstruct the companion 
matrix and thus to generate the whole key. 

Again, to keep the computations easily verifiable, we limit ourselves to an 
example with n = 4. Assume we have the following cryptotext: 

C G V J F M C I H T X U F S D Y V L M R . 


Assume, too, that in the circumstances the encryption is a monographic, 
simple VIGENERE with a quasiperiodic key sequence generated by a linear 
polygraphic substitution of width 4 in Z 26 . Among the probable words we 
conjecture the word /broadcast/ . 

We may start with the hypothesis that the probable word is right at the 
beginning. We then have the situation (p plaintext, k key, c=p+k ciphertext) 


c 


P 


C G V J F 

2 6 21 9 5 
broad 
1 17 14 0 3 


M C I H T 

12 2 8 7 19 

cast 
2 0 18 19 


X U F S D 

23 20 5 18 3 


Y V L M R 
24 21 11 12 17 


c-p 1 15 7 9 2 


10 2 16 14 
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This yields the iteration equation in Z 26 


/ 1 15 7 

15 7 9 

7 9 2 

9 2 10 

V 2 10 2 



/0 0 0 
10 0 
0 10 
VO 0 1 



and the overdetermined linear system 

/ 1 15 7 9 

15 7 9 2 

7 9 2 10 

9 2 10 2 

V 2 10 2 16 




2 

16 

V14/ 


(15 

7 

9 

2 \ 

7 

9 

2 

10 

9 

2 

10 

2 

2 

10 

2 

16 

VlO 

2 

16 

14/ 


which cannot be solved: The first four lines can be transformed by Gaussian 
elimination into 


f 1 

15 

7 

9 \ 

(tl 

0 

1 

9 

9 

^2 

0 

0 

1 

17 


Vo 

0 

0 

1/ 

\ £4 



with a solution by back-substitution 

t>4 = 8, — 20, ^2 = 0, t± = 24, 

but this obviously does not fulfill the fifth equation. 


The next hypothesis to be tested could be that the probable word begins at 
the second position of the plaintext, which leads to the situation 


c 


P 


C G V J F 

2 6 21 9 5 

b r o a 

1 17 14 0 


M C I H T 

12 2 8 7 19 

d c a s t 

3 2 0 18 19 


X U F S D 

23 20 5 18 3 


Y V L M R 
24 21 11 12 17 


c-p 5 4 21 5 9 0 8 15 0 


and to the iteration equation in Z 26 


/ 5 4 21 

4 21 5 

21 5 9 

5 9 0 

V 9 0 8 


5 \ 

9 ' 

0 

i 8 5 ; 


(0 0 
1 0 
0 1 
Vo o 


o h\ 
o h 
o h 
l uJ 


/ 4 21 5 9 \ 

21 5 9 0 

5 9 0 8 

9 0 8 15 

Vo 8 15 0 / 


This yields the overcleterminecl linear system 


( b 

4 

4 

21 

21 

5 

5 \ 

9 

(h\ 

J. 1 

( 9 \ 
0 

21 

5 

9 

0 

2 = 

8 

5 

V 9 

9 

0 

0 

8 

8 

15/ 

1 3 1 

\tj 

15 

\o) 
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which can be solved: the first four lines can be transformed by Gaussian 
elimination into 

/I 6 25 1 \ /h\ / 7 \ 

I 0 1 23 7 , t 2 _ | 18 

0 0 1 4 t 3 _ 23 ’ 

Vo 0 0 1 / Vf 4 / V 3 / 

with a solution by back-substitution 

t 4 = 3,t 3 = lM2 = 4,t 1 = 17, 
which obviously does fulfill the fifth equation: 

9x17+0x4+8x11+15x3 = 286 =11x26 = 0 modulo 26 

The iteration matrix for the continuation of the key text is thus in Z 26 


0 0 0 17 
10 0 4 
0 1 0 11 
0 0 13 


with the inverse A 1 = 


12 1 0 0 
7 0 10 

9 0 0 1 

23 0 0 0 


Therefore, the key k = c — p can be supplemented to 

2 5 4 21 5 9 0 8 15 0 15 7 25 4 24 23 20 9 19 3 

and leads to the following decryption (p = c — k) 


C CGVJF MCIHT XUFSD YVLMT 

2 6 21 9 5 12 2 8 7 19 23 20 5 18 3 24 21 11 12 17 ... 

k 2 5 4 21 5 9 0 8 15 0 15 7 25 4 24 23 20 9 19 3 ... 

0 1 17 14 0 3 2 0 18 19 8 13 6 14 5 1 1 2 19 14 ... 

p abroa cl cast ingof bbcto 

(“A broadcasting of BBC tonight announced the Allied invasion to be ex¬ 
pected within forty-eight hours.”) 

The last column of the iteration matrix is deduced from the password 
( FID)DLER + (5 8 3) 3 11 4 17 . 


For a key sequence generated by a binary linear shift register in connection 
with a VIGENERE over Z 2 , i.e., a VERNAM, everything said above holds, 
too. A shift register encryption should be nonlinear to avoid this line of 
attack (Beth et al. 1982). 

Quite generally, linear substitutions are much more vulnerable to cryptana- 
lytic attacks than non-linear ones. 





21 Anagramming 


Abandonner les methodes de substitution pour celles de transposition 
a ete changer son cheval borgne pour un aveugle. 

[Abandoning the methods of substitution for those of transposition 
was like changing one’s one-eyed horse for a blind one.] 

Etienne Bazeries 1901 

Transpositions were for a while the favorites of the military, particularly in the 
late 18th and early 19th century in France, Germany, Austria, and elsewhere. 
They seemed to be suitable above all as field ciphers (‘trench codes’) for the 
lower ranks. Bazeries, around 1900, made fun of this and generally ascribed 
to transposition systems that seemed difficult at first sight a complication 
illusoire. Cryptanalysts usually loved adversaries that used simple transpo¬ 
sitions (like the German Abwehr hand ciphers) because they promised to be 
easy prey; likewise the literature treats cryptanalysis of transpositions as 
relatively unsophisticated. 

21.1 Transposition 

Simple transposition (Sect. 6.2.1), i.e., throwing single characters about, with 
small encryption width n, can be treated for very small known n by system¬ 
atic studies of contact in bigrams, possibly also in trigrams and tetragrams of 
characters. In the Second World War, the cryptanalytic services in the Ger¬ 
man Auswdrtiges Amt (Pers Z) and Oberkommando der Wehrmacht (Chi) 
used special machines, called Spezialvergleicher and Bigrammbewertungsgerat 
(Rohrbach, Jensen) for the semiautomatic solution of simple column trans¬ 
position and simple block transposition. Essentially, the exhaustive scissors- 
and-paste method of Sect. 12.8.2 was mechanized. A piece of cryptotext was 
confronted with the whole cryptotext in all relative positions and for the 
observed bigrams the theoretical bigram frequencies were multiplied, then 
positions where this product was high were singled out. The method is even 
helpful if the columns of a columnar transposition do not all have the same 
length. 

For the US Army, towards the end of the war SIS built FREAK, a bigram 
counter based on electric condensers, a substitute for the 1943 NCR-built 
MIKE which, according to Burke, was “a huge electromechanical contrap¬ 
tion.” 
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21.1.1 Example. We consider an example of this ‘contact method’ for the 
following cryptotext: 

SSNKL HONIW MM EUNTAHUL INNAH NCINF CIERO 
NACBA MZGHN KT HWC DES IN KCAIE ANIM 

Counting the frequencies of single letters results in a distribution not very 
different from that of the German language and allows us to consider trans¬ 
position. The total number of characters is 64, which even suggests a trans¬ 
position with an 8x8 or 4 x 16 square. Trying the 8x8 square 

S I A H E M W C 

SWHNRZ C A 
N M U C O G D I 

K M L I N H E E 

L E I N A N S A 

H U N F C K I N 

O N N C B T N I 

N T A I A H K M 

we take a column (it could also be a line) that contains many frequent char¬ 
acters, say the 5th, ERONACBA, and confront it with the other columns. The 
resulting bigrams and their expected frequency (see Table 11, in %%) is given 
in the following diagram (empty entries mean a frequency below 0.5%%): 


ES 

140 

E I 

193 

EA 

26 

EH 

57 

EM 

55 

EW 

23 

EC 

25 

RS 

54 

RW 

17 

RH 

19 

RN 

31 

RZ 

14 

RC 

9 

RA 

80 

ON 

64 

OM 

17 

OU 

3 

OC 

15 

OG 

5 

OD 

7 

O I 

1 

NK 

25 

NM 

23 

NL 

10 

N I 

65 

NH 

17 

NE 

122 

NE 

122 

AL 

59 

AE 

64 

AI 

5 

AN 

102 

AN 

102 

AS 

53 

AA 

8 

CH 

242 

CU 


CN 


CF 


CK 

14 

C I 

1 

CN 


BO 

8 

BN 

1 

BN 

1 

BC 


BT 

4 

BN 

1 

B I 

12 

AN 

102 

AT 

46 

AA 

8 

AI 

5 

AH 

20 

AK 

7 

AM 

28 


The confrontation of the column ERONACBA with the column SSNKLHON 
shows clearly higher frequencies than the others. Multiplying the frequencies 
gives the value 1.41 x 10 14 x 10 -32 = 1.41 x 10“ 18 , while all other columns 
give values below 3.74 x 10 9 x 10 - 32 = 3.74 x 10 - 23 . Because of this good 
result, the next column we test is the first, SSNKLHON. Now the confrontation 
with the not yet used columns gives 


S I 

65 

SA 

36 

SH 

9 

SM 

12 

SW 

10 

SC 

89 

SW 

10 

SH 

9 

SN 

7 

S Z 

7 

S C 

89 

SA 

36 

NM 

23 

NU 

33 

NC 

5 

NG 

94 

ND 

187 

N I 

65 

KM 

1 

KL 

10 

K I 

7 

KH 

1 

KE 

26 

KE 

26 

L E 

65 

L I 

61 

LN 

4 

LN 

4 

L S 

22 

LA 

45 

HU 

11 

HN 

19 

HF 

2 

HK 

3 

H I 

23 

HN 

19 

ON 

64 

ON 

64 

OC 

15 

OT 

9 

ON 

64 

O I 

1 

NT 

59 

NA 

68 

N I 

65 

NH 

17 

NK 

25 

NM 

23 


This time, confrontation with the column WCDESINK stands out, not as 
clearly as before, but with a product of 3.50 x 10 12 x 10 - 32 = 3.50 x 10 _2 ° 
still indubitably, since all others are below 5.39 x 10 11 x 10 -32 = 5.39 x 10 - 21 . 
Daring to continue with the 7th column WCDESINK, the next confrontation 
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gives a preference for the 3rd column AHULINNA. If the columns which are 
singled out in this way are written side by side, the result so far is 

ESWA 
RSCH 
ONDU 
NKEL 
AL S I 
CH I N 
BONN 
ANKA 

Surprisingly, this is already plaintext; since the columns used so far are the 
5th, the 1st, the 7th and the 3rd, it is quite likely that the transposition uses 
a 4 x 16 square. The remaining columns are simply subjected now to the 
same permutation, doubling the length of the columns: 

M I CH 
Z WAN 
GM I C 
HME I 
NEAN 
KUNF 
TN I C 
HTMI 

The complete plaintext reads 

„es war schon dunkel als ich in bonn ankam ich zwang mich meine ankunft 
nicht mi[t der automatik ...]“(Heinrich Boll, Ansichten eines Clowns , 1963). 

21.1.2 Shifted columns. In the example just discussed the first column of 
the plaintext had more of the frequent letters than the other columns. This 
will usually not be the case, and not only the contact to the right, but also 
the contact to the left will need to be investigated. As soon as the very first 
or the very last column of the plaintext is reached, continuation makes sense 
only with columns shifted by one place. Using trigram frequencies increases 
the number of exhaustive steps, but may give more stable permutations. 

21.1.3 Caveat. We have seen that simple transposition with fixed en¬ 
cryption steps of some width provides no security if the text is a few times 
longer than the width. Transposition with a width equal to the length of the 
text, as a rule, allows more than one ‘meaningful’ solution, even for very long 
texts. A smart lawyer therefore could have saved Brother Tom of Jonathan 
Swift (Sect. 6.3), if he had found another, harmless solution of the anagram. 
However, the security this kind of transposition offers rests fully on the one¬ 
time use of the permutation of the places, which means an individual key. As 
soon as such an encrypting transposition step is used a few times, the simple 
attack of Sect. 21.1.1 can be tried, and a specific method to be discussed in 
Sect. 21.3. 

21.1.4 Codegroup patterns. Even when code has been superencrypted 
by simple transposition, it can be treated in the way mentioned above if 
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its codegroups have certain patterns. For example, this is the case if ‘pro¬ 
nounceable’ codegroups are built in a vowel-consonant pattern, like CVCVC 
in the GREEN code of the US State Department (Sect. 4.4.2). Still in the 
Second World War, the US State Department used codes of type CVCVC and 
CVCCV , a property which also helped AA /Pers Z (Sect. 19.4.1.2) to strip off 
an additive. 

21.1.5 Illusory complication. Furthermore, the ‘contact method’ works 
also for mixed-rows columnar transposition and mixed-rows block transposi¬ 
tion (Sect. 6.2.3), since the contact is only occasionally interrupted. It yields 
an intermediate cryptotext with permuted lines; for example, in our 8x8 
square 

MICHZWAN ALSICHIN ONDUNKEL NEANKUNF 
GMICHMEI ESWARSCH TNICHTMI BONNANKA. 

Both Givierge and Eyraud pointed out that transposition double in the form 
of mixed-rows columnar transposition and mixed-rows block transposition, 
including Nihilist transposition, are not much more resistant than the sim¬ 
plest columnar transposition. The double suggests a complication illusoire. 

21.2 Double Columnar Transposition 

Double columnar transposition (Sect. 6.2.4)—except in particular cases, as in 
Sect. 6.2.5—is a much harder task for the unauthorized decryptor. The reason 
is that after the first transposition all contacts are completely torn. Eyraud 
treats the case in some detail, but is unable to give a complete method. Koza- 
czuk describes how the Polish side solved German Doppelwiirfelverfahren. 
Kahn: “...in theory the cryptanalyst merely has to build up the columns 
of the second block by twos and threes so that their digraphs and trigraphs 
would in turn be joinable into good plaintext fragments. But this is far more 
easily said than done. Even a gifted cryptanalyst can accomplish it only on 
occasion; and even with help, such as a probable word, it is never easy.” 

A really powerful means of attack, if possible, is multiple anagramming. 

21.3 Multiple Anagramming 

For the most general case of transposition, even with a width about as large as 
the full text, including also grilles and route transcriptions, there is a general 
method, requiring nothing more than that two plaintexts of the same length 
have been encrypted with the same encryption step, i.e., that the encrypting 
transposition step has been repeated at least once. Such a plaintext-plaintext 
compromise suggests a parallel to Kerkhoffs’ method of superimposition. 

21.3.1 Example. The method is based on the simple fact that equal en¬ 
cryption steps perform the same permutation of the plaintext. The crypto¬ 
texts are therefore written one below the other and the columns thus formed 
are kept together. Assume we have (in phase) the cryptotext fragments 
(Kahn) GHINT and OWLCN. 
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This means that the five pairs 


G H I N T 

O W L C N 


are to be anagrammed. Among the 5x4 = 20 combinations only the following 
twelve (in descending contact order) 


TH NG GT IN TI NI GH HI IG TN HT GI 

NW CO ON LC NL CL OW WL LO NC WN OL 


have sufficiently large contact at both levels. Using only the first four com¬ 
binations, there is just the meaningless solution lconw anc ^ even ^ ie 
first eight combinations only cyclic shifts of this solution are obtained, as the 
following graph with five nodes and eight branches shows: 



Using also the ninth combination, there is a further solution qlonw w ^ 1 * c ^ 1 
is senseless. Only with the first eleven combinations is the meaningful solu¬ 
tion clown ( an d cyclic shifts) obtained, which can be seen from the 
following graph with five nodes and eleven branches: 



Thus, NIGHT and CLOWN are the solutions obtained by multiple anagram¬ 
ming. “There will be one order—and only one—in which the two messages 
will simultaneously make sense” was in 1879 the empirical finding of Ed¬ 
ward S. Holden. 


21.3.2 Practical use. The example shows that multiple anagramming of 
two or more cryptotexts can be treated as a graph-theoretic problem, where 
the number of nodes equals the length of the texts. Mechanized calculation 
of the feasible combinations is possible. The combinatorial complexity of the 
search problem of finding a path through all nodes without visiting a node 
twice limits the length of texts that can be treated this way. If about half a 
dozen texts of length say 25, 36, 49, 64, 81, or 100 are given, as was frequently 
the case with field ciphers, multiple anagramming with some computer sup¬ 
port can be done quickly. Multiple anagramming is particularly important for 
transpositions made by means of grilles and route transcriptions, since these 
devices are prefabricated and as a rule destined for multiple use. Superen¬ 
cryption of a polyalphabetic substitution (chiffre a triple clef of Kerkhoffs) 
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by transposition withstands the contact method of multiple anagramming. 
This is not to say that there are no other ways to attack it. 

21.3.3 Hassard, Grosvenor, Holden. Transposition can also be done 
with words instead of with letters; then multiple anagramming of words is 
the cure. Multiple anagramming was invented or at least for the first time 
made public in 1878—five years before Kerckhoffs—by John R. G. Hassard 
and William M. Grosvenor, two editors of the New York Tribune (which co¬ 
operated), and independently in 1879 by E. S. Holden, already mentioned, a 
mathematician at the US Naval Observatory in Washington. The reason for 
such a massive effort was a scandal in the US Senate, based on some hun¬ 
dreds of encrypted telegrams. An amateurish system was used: plaintext 
with disguised proper names and revealing words was written into a grille, 
and four such grilles were used with 15, 20, 25, and 30 words. The telegrams 
were decrypted independently and coinciding solutions were obtained which 
ensured their correctness and authenticity. Revealing the scandal had deep 
political consequences, moreover the American public became intensely in¬ 
formed about secret codes and how to break them. Possibly the preference 
in the USA for cryptograms as a pastime stems from this source. 

In 1914, the French under Colonel Frangois Cartier had learned their lesson 
when they were confronted with the Heer of the German Kaiser, which used 
a double columnar transposition as trench code. This was not new for the 
French, since the Germans stupidly had used the method already in peacetime 
to a great extent for drill messages. To make it more obvious, all signals were 
marked by the codegroup UBCHI ( Ubungschiffre) in the preamble; the French 
therefore called the system ubchi. With multiple anagramming they could 
pretty soon decrypt the messages at least in large fragments (a typical situ¬ 
ation). This allowed them to reconstruct the password. On October 1, 1914 
Cartier and his aides Adolphe Olivary, Henri Schwab, and Gustave Freyss 
gave the decryption rule to various French headquarters, enabling them to 
read the German wireless traffic as quickly as the Germans themselves. This 
situation lasted until mid-November 1914. 

The generals of the Kaiserliche Heer then made a terrible blunder: they 
changed from the obstinate, time-consuming double columnar transposition 
to a simple columnar transposition, superencrypted by a VIGENERE ad¬ 
dition with key ABC, which could be done in the head. This complica¬ 
tion illusoire —stripping off the addition only needed a look at the frequency 
profile—allowed the French to use contacts in solving a single columnar trans¬ 
position, which was a simple matter. The situation lasted until May 1915 
and saved the French a lot of work. 

Although Le Matin had published the story of the French success in October 
1914, the German army returned to transposition at the end of 1916, this 
time using a turning grille. This lasted four months and caused no problem 
for the French, of course. 
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Insufficient cooperation in the development of one’s own proce¬ 
dures, faulty production and distribution of key documents, incom¬ 
plete keying procedures, overlooked possibilities for compromises 
during the introduction of keying procedures, and many other cau¬ 
ses can provide the unauthorized clecryptor with opportunities. 

Erich Hiittenhain 1 1978 

The history of cryptology shows that the unauthorized decryptor feasts on the 
mistakes of the adversary (Sect. 11.2.5). Simple encryption errors are made by 
crypto clerks. Tactical and strategic cryptographic faults occur in intelligence 
and communication organizations at all levels up to generals and directors. 
This even includes political questions of organization. The split among the 
services in Germany before and during the Second World War, ultimately 
but not merely a consequence of the rivalry between Ribbentrop, Goring, and 
Himmler, and the division into Sonderdienst Dahlem in the Abteilung Pers Z 
of the Auswartiges Amt , Chiffrierabteilung (Chi) in the Oberkommando der 
Wehrmacht , B-Dienst of the Kriegsmarine, Forschungsamt of the Reichs- 
luftfahrtministerium (founded 1933), and Amt VI of the Reichssicherheits- 
hauptamt was extremely counterproductive; the British concentrated their 
services from the very beginning of the tensions under the Foreign Office in 
the Government Code and Cypher School, and even the military services did 
not feel badly served, not to mention the secret services, M.I.6 (under Stewart 
Menzies) and the American O.S.S. (under David Bruce); the partners all sat 
together in Winston Churchill’s secret ‘London Controlling Section’ (L.C.S.). 
But both the Germans and the British (with their ‘need to know’ doctrine) 
maintained internal barriers for reasons of intelligence security; their effect 
was that no one division could learn enough from the others to be useful, 
which also allowed them sometimes to hush up flops and failures. 

It is more a matter for historians than for cryptologists to judge to what 
extent results from cryptology have influenced war and peace. A voluminous 
journalistic record includes everything from serious discussion to sensation¬ 
alist revelations. 

1 Dr. Erich Hiittenhain (January 26, 1905 —December 1, 1990) studied mathematics (Hein¬ 
rich Behnke) and astronomy in Munster. In 1936 he entered the Cipher Board (Chi) of 
the Oberkommando der Wehrmacht (OKW); he was finally head of group IV (ana¬ 
lytic cryptanalysis) in the Hauptgruppe Kryptanalyse of Ministerialrat Wilhelm Fenner 
who worked there from 1922 and considered mechanized solving ‘a remote possibility, the 
fancy of some analysts’ (Rebecca Ratcliff). After the war Hiittenhain directed from 1956 
until 1973 an office of the Federal Government in Bad Godesberg, the Bundesstelle fur 
Femmeldestatistik, later renamed more fittingly Zentralstelle fur das Chiffrierwesen 
(‘German Cipher Board’). His successor (1973-1993) was Dr. Otto Leiberich. 
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Dillwyn Knox 


William Friedman (seated) with (from left) 
Solomon Kullback, 

Frank Rowlett and 
Abraham Sinkov 
(Arlington Hall, 1944) 


Erich Hiittenhain 


Hans Rohrbach Andreas Figl Yves Gylden Georges-Jean Painvin 


Fig. 184. Some famous 20th century cryptanalysts 


22.1 Success in Breaking 

Cryptography itself has its enemies. Generals and ambassadors sometimes 
consider the trouble not worthwhile. They may feel that depending on a 
crypto clerk is time-wasting and humiliating, and may doubt his or her hon¬ 
esty. The great philosopher Voltaire even went so far as to call codebreakers 
charlatans: ceux qui se vantent de dechiffrer une lettre sans etre instruit des 
affaires qu ’on y traite ... sont de plus grands charlatans que ceux qui se van- 
teraient d'entendre une langue qu'ils n’ont point apprise [Those who boast of 
being able to decrypt a letter without being informed on the affairs it deals 
with ... are greater charlatans than those who would boast of understanding a 
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language they had not learned]. And the Earl of Clarendon, a hundred years 
earlier, wrote in a letter to the doctor John Barwick “I have heard of many 
of the pretenders of that skill, and have spoken with some of them, but have 
found them all to be mountebanks.” In 1723, the British House of Commons 
spoke of the ‘mystery of decyphering’. Public opinion on cryptographers has 
improved slightly since. Still, cryptanalysts cannot do miracles. 

Some names of successful unauthorized decryptors have become known: in 
the First World War the British William R. Hall, Nigel de Grey, Malcolm Hay 
of Seaton, Oswald Thomas Hitchings, the French Georges Painvin, Frangois 
Cartier, Marcel Givierge, the US American Parker Hitt, J. Rives Childs, 
Frank Moorman, Joseph O. Mauborgne, Herbert Osborne Yardley, Charles 
J. Mendelsohn, the Italian Luigi Sacco, the Austrian Maximilian Ronge, An¬ 
dreas Figl, Hermann Pokorny, the Prussian Ludwig Deubner and the Bavar¬ 
ian Ludwig Foppl. Many more were forgotten and never publicized. In the 
Second World War, there was an even greater number of persons involved in 
codebreaking, many during wartime only. In Fig. 184, photographs of some 
famous 20th century cryptanalysts can be found. In a recent book edited by 
Francis Harry Hinsley and Alan Stripp, memoirs of some 30 Bletchleyites, 
as they were proudly called, are collected. It is partly accidental whether a 
cryptanalyst becomes known—Fedor Novopaschenny at the Reichswehr Chi- 
Stelle, Walter Seifert and Georg Schroder at the Forschungsamt, and Fritz 
Neeb at Army Group Mitte are examples. Cort Rave (see Sect. 19.4.1.2) 
remained totally unnoticed, and so did until recently Hans-Joachim Frowein 
from the B-Dienst and Sergei Tolstoy, a great codebreaker of the Soviet Union. 

22.1.1 B-Dienst, Chi-Stelle, Sonderdienst Dahlem. A person who 
lived in the background until David Kahn made his name public is Wilhelm 
Tranow. A former radioman in the Kriegsmarine , he cracked Royal Navy 
signals in the First World War and was successful again in 1935. During 
the Second World War he was Head Cryptanalyst of the German Navy’s 
B-Dienst 2 . Perhaps as a result of the way the Second World War ended, 
little has been known about German codebreaking (apart from Rohrbach’s 
success), but it would be wrong to conclude that there were none. As an 
unbiased historian, David Kahn describes the situation in mid-1943 of the 
B-Dienst under the regime of the experienced and energetic Tranow as fol¬ 
lows: “... the B-Dienst was at the height of its powers, solving 5 to 10% 
of its intercepts in time for Donitz to use them in tactical decisions. Early 
information sometimes enabled him to move his U-boats so that a convoy 
would encounter the middle of the pack.” One thousand men worked for 
Tranow at Berlin headquarters, and 4000, many intercept operators, in the 
field (Kahn). Indeed, from April 1940 on, the B-Dienst broke a third to a 
half of the current naval cypher, including the British Merchant Navy Code. 
When the British introduced Naval Cypher No. 2 (German codename ‘Koln’) 

2 Short for Beobachtungsdienst , originated from the Beobachtungs- und Entzifferungs- 
dienst of the Kaiserliche Marine, therefore sometimes also called \B-Dienst or xB-Dienst. 
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Fig. 185. Entry in the war diary (June 15, 1943) of the Chief, German Navy radio recon¬ 
naissance: “ Since at present none of the main English cyphers can be read ... 
The identified change of the ‘Frankfurt’ key was communicated by X-B report 
1145A to ... ” 

on August 20, 1940, it was partly broken towards the end of 1940 and fully in 
February 1941, and remained so for more than two years. Thus during the cli¬ 
max of the U-boat war, Naval Cypher No. 3 (German codename ‘Frankfurt’), 
introduced in June 1941 for the Allied Atlantic convoys, was compromised. 
The task included stripping off the superencryption of what actually was a 
code, and for this purpose six Hollerith tabulating machines were used to find 
parallels. By the end of 1942, 80% of the signals were deciphered, but only 
10% in time to be operationally useful. Donitz conceded that more than half 
of his total information came from this source. It ran dry only when Comman¬ 
der (later Vice Admiral Sir) Norman Denning’s suspicions were aroused by 
ENIGMA sources decrypted in Bletchley Park, whereupon the British Navy 
and the British Merchant Navy discontinued Naval Cypher No. 3 on June 
10, 1943 (Fig. 185) and started to use Naval Cypher No. 5 together with Tilt- 
man’s stencil subtractor, a grille introduced by mid-1943. Nevertheless, the 
Germans still obtained some decryptions (Fig. 186). The British command, like 
the German, did not like to believe that their codes might be insecure. Patrick 
Beesly blames the defeat on Bletchley Park, which was offensively minded 
and did little to defend the security of their own encryption methods. 

Colin Burke reports that there was rivalry and a choked flow of information 
between the United Kingdom and the United States of America in 1942. This 
stopped at the naval side in October 1942, continued on the army side until 
about September 1943; finally, however, an unprecedented cooperation and 
relationship of trust developed. 

The question has been asked: Did cryptanalysis decide the Battle of the At¬ 
lantic? Jurgen Rohwer and Harry Hinsley have pointed out that the situation 
was quite balanced as long as the British were forced to wage defensive war¬ 
fare. Only after mid-1943, when the Allies were strong enough to turn to an 
offensive anti-U-boat war, was the German U-boat command crippled. 

The success of the B-Dienst had tradition: When the war broke out, it could 
already read Naval Cypher No. 1, a 4-digit superencrypted code; this became 
possible following a compromise in 1935 in the Abyssinian War with a widely 
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Fig. 186. Comparison of a radio signal of CINCWA from September 14, 1943 to convoy 
ONS 18 with a decryption by the B-Dienst of the Kriegsmarine: ... vermutlich 
Treffpunkt... 16.9. 1400 Uhr [German summer time] Position 56 08 N 16 19 W 


used 5-digit naval code that was already broken. During the attack on Norway 
in April-May 1940, the Kriegsmarine always had a precise picture of the sit¬ 
uation in the British Admiralty. This explains somewhat the surprisingly for¬ 
tunate course of events for the Germans. Tranow’s great success went back to 
First World War experiences. Kahn cites an anonymous source: “If one man 
in German intelligence ever held the keys to victory in World War II, it was 
Wilhelm Tranow.” With the criminal Hitler there was no key to this victory. 

The Chi-Stelle of the German Reichswehr , according to Huttenhain, broke the 
traffic between the French War Ministry and the French army departments 
early in the 1930s. However, their encryption was miserable: a numeral 
code which remained fixed for many years was superencrypted by a periodic 
VIGENERE modulo 10 with a period varying between 7 and 31. All sig¬ 
nals could be read. Only between Paris and Savoy was a different method 
used, involving a transposition for superencryption. In 1938, OKW’s Chi 
succeeded here, too. When war started on September 3, 1939, the French 
War Ministry ordered this method to be used throughout. Thus, the Ger¬ 
mans could read the French wireless signals from the first day without delay, 
which explains the advantages they had in the battle of France in June 1940. 
France had made the mistake (Sect. 11.1.3) of adopting as her main method 
an encryption method that had already been in restricted use for some time. 
Rohrbach’s lasting success between 1942 and September 1944 against the 
strip cipher method of US diplomacy was already discussed in Sect. 14.3.6. 
The so-called CQ radio signals of the State Department in Washington to 
all its diplomatic missions played an important role in creating cryptotext- 
cryptotext and even plaintext-cryptotext compromises. 

Less important was the success mentioned in Sect. 19.4.1 against the Ruma¬ 
nian military attache. But military attaches as a rule are quite promising 
goals, with a mixture of military and diplomatic habits leading to interfer¬ 
ences. While Field Marshal Rommel in North Africa was fighting against 
the British 8th Army under Field Marshal Montgomery in the fall of 1941, 
the Germans of the Forschungsamt in Berlin succeeded in penetrating the 
traffic of the American Military Attache in Cairo, Colonel Frank Bonner 



22.1 Success in Breaking 4 75 


Fellers (later Brigadier General and military secretary to General Douglas 
MacArthur)- -partly because Fellers had the persistent habit of beginning 
his signals with stereotypes, partly because Italy, then still at peace with the 
USA, had its penetrazione squadra ‘borrow’ the codebook from the Ameri¬ 
can Embassy in Rome in order to copy it. Fellers reported day by day in 
the brand new BLACK code among other things the plans of the 8th Army 
for the next day, which could always be forwarded to Rommel within a few 
hours. The USA was cryptologically an unsafe ally of Britain. Italy was 
more prudent, or at least she thought so: The Chief of the Italian Intelli¬ 
gence Service, General Cesare Ame, did not provide the Germans with the 
codebook, but gave them only decryptions. Since the Germans also recorded 
the cryptotext signals, they had a perfect plaintext-cryptotext compromise 
and could reconstruct the codebook, and could even check the trustworthiness 
of their ally. The break had catastrophic consequences in June 1942 for an 
Allied convoy bound for Malta. Bletchley Park once more cast suspicion on 
their friends and Fellers had to resign. Nevertheless, he was decorated with 
the Distinguished Service Medal. He was almost as bad as Robert D. Murphy. 

In using their Hagelin M-209 machines, the cipher clerks of the US Army 
proved no more disciplined than their German colleagues: they chose for 
message keys preferably six initial letters from their girlfriends’ names, and 
thus usually the same keys a whole day long. Such in-phase encryptions 
allowed Erich Hiittenhain to penetrate daily the none-too-secure Beaufort 
encryption. Field Marshal Erwin Rommel profited from this (Otto Leiberich). 

22.1.2 Ango Kenkyu Han. Japan tried in the 1930s to break not only 
Chinese codes, but primarily American ones. This was not too difficult, since 
despite Yardley’s warning (Sect. 8.5.6) US diplomatic cryptology was still ir¬ 
responsible. Under Roosevelt a new code, BROWN, was introduced, but 
it came into the hands of a gang of safe-crackers in Zagreb, and thus was 
probably compromised, yet it was not taken out of use since ‘only’ criminals 
were involved. And Stanley K. Hornbeck wrote to his boss, the Secretary 
of State Stimson: “Mr. Secretary: I have the feeling that it is altogether 
probable that the Japanese are ‘breaking’ every confidential telegram that 
goes to and from us.” The unreliability of American diplomatic codes was ac¬ 
cepted as inevitable. In this situation it is not astonishing that the decryption 
service of the Japanese Foreign Ministry, Ango Kenkyu Han, was sometimes 
successful in decrypting the simpler codes, e.g., GRAY. But it had no joy 
with BROWN and Tokumu Han, the decryption service of the admiralty, was 
also unlucky. Nothing but a raid could help; under the command of Cap¬ 
tain Hideya Morikawa, towards the end of 1937 the BROWN code and the 
strip cipher device M-138, the appearance of which was not known to the 
Japanese, were photographed in the American consulate in Kobe. Neverthe¬ 
less, they did not manage to read the M-138 traffic. The Tokumu Han sailors 
then concentrated on the related strip cipher device CSP 642 of the US Navy 
(Sect. 14.1). They got results only slowly, because their methods were behind 
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the times. But they had received the BAMS code (Sect. 4.4.5) from the Ger¬ 
mans, whose raider ship Atlantis had captured it on July 10, 1940. The Ja¬ 
panese only had to strip the superencryption, which they managed, of course. 

In the opposite direction there was more success. The USA, carrying the 
main load of the Allied war effort in the Pacific theater, scored also the most 
solutions of Japanese wireless signals. Japan may have felt that she was 
protected by her language being strange and impenetrable to Westerners; but 
this was not the case. The Americans broke Japanese codes and ciphers in 
the 1920s (Yardley), 1930s (Holtwick), and 1940s (Rosen). There are reliable 
reports (see Sect. 19.4.1.2) that also the German side broke continually the 
PURPLE traffic of its ally. 

Little is known about US American success in breaking Soviet encryption 
after the Venona breaks. In 1972, during the Strategic Arms Limitation 
Talks, NS A made a hit, “but the solution came by a fluke, made possible by 
a Soviet enciphering error” (Kahn). Such a thing may happen now and then. 
And if it happened more often, there were good reasons not to brag about it. 

22.1.3 Glavnoye Razvedyvatelnoye Upravlenie (Razvedupr, GRU). 

The ‘Chief Intelligence Directorate’ of the Soviet Union—notwithstanding 
its reputation in eavesdropping, spying, theft, and blackmailing—also had 
cryptanalytical successes, e.g., against Swiss diplomacy working with Hagelin 
machines as well as against Italy, not to speak of smaller nations. 

Toward the end of the Second World War, the number of ENIGMA cipher 
documents seized by the Red Army grew to such an extent that the per¬ 
centage of successes against Wehrmacht ENIGMA traffic was considerable. 
However, it seems that there were no codebreaking machines comparable to 
the Polish, British, and US American BOMBEs. In the Cold War era, ac¬ 
cording to Louis Tordella, the Soviet Union was even successful against the 
rotor machine KW-7 used by NATO. In 1992, David Kahn found a Rus¬ 
sian living at the time in Britain, Victor Makarov, who had worked as an 
interpreter in the 16th Directorate of the K.G.B. (Director: General Andrei 
Nicolayevich Andreyev) and was familiar with its work. From him and by 
later contact with Andreyev, Kahn learned some details, among which was 
the contention that, from the end of 1941, Soviet cryptanalysts under Sergei 
Tolstoy had success against the Japanese PURPLE machine. However, a 
technically complete picture of Soviet cryptanalysis is still lacking. 

22.2 Mode of Operation of the Unauthorized Decryptor 

Since I am not a professional day by day decryptor, I feel it difficult and easy 
at the same time to speak about the work of the unauthorized decryptor. 
Difficult, because I have collected my experiences without the pressure of the 
professional environment and without sweat and tears. Easy, because I am 
not in danger of being infatuated by success or embittered by failures. How- 
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ever, my mathematical approach has helped me to systematize cryptological 
attack and defense. 

Anyhow, the literature and my personal contacts have shown me that pro¬ 
fessional clecryptors do not have an easy life. Marian Rejewski (August 16, 
1905-February 13, 1980), for example, went back after the war to communist 
Poland and had to choose a job as a business director rather than to make a 
university career. Alastair Denniston advised his son Robin: “Do what you 
like to do, but don’t do what I do.” Robin Denniston became a publisher. 
Sometimes it may have been difficult to keep absolutely silent, and this also 
for twenty, thirty or forty years; especially in situations like the one Irving 
John Good experienced: he was stationed in a hotel near Bletchley Park and 
was treated by a retired banking clerk to a lively description of a commercial 
ENIGMA which his bank had used in his earlier days. 

It is naturally only the work of the unauthorized decryptor which is of math¬ 
ematical interest, where here an experienced decryptor is understood. Expe¬ 
rience in decryption must be won through many years of practice. Thus the 
decryptor, depending on his situation and inclination, will develop either a 
more linguistic or a more mathematical orientation. Solutions of sufficiently 
complicated methods are the collective works of several decryptors of both 
orientations, either of which in turn has yet further specialists. The mathe¬ 
maticians in particular need specialists in machine methods. 

Hans Rohrbach 1949 

Deciphering is an affair of time, ingenuity, and patience. 

Charles Babbage 1864 

The cryptographer’s main requisites are probably patience, accuracy, stamina, 
a reasonably clear head, some experience, and an ability to work with others. 

Christopher Morris 1992 

22.2.1 Glamour and misery. The work of the professional cryptologist 
is thankless; he is not allowed to celebrate his success in public or with his 
friends, and not even his family will be allowed to know what he is doing. He 
is permanently in danger of being abducted or blackmailed. Such restrictions 
usually persist even after active duty. 

On the other hand, Ralph V. Anderson, who in 1940 entered the code room 
at the US Navy Department in Washington, D.C. and in 1946 joined the 
Department of State in cryptography, where he served for almost twenty 
years, confessed “If I had been given the choice of any position I wanted, I 
would have chosen the one I had.” 

22.2.2 Personality. It seems to be most difficult to give general rules and 
advice for the attitude to be applied in unauthorized decryption. Certainly, 
dogged obstinacy will be needed. But Bazeries, who was a very successful 
cryptanalyst, recommended changer son fusil d’epaule , trying a new line of 
attack, which will only help people with enough imagination. Not to be 
blinkered, not to follow the beaten track; this is more easily said than done. 
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Fresh ideas will help. The example of Alan Turing and Gordon Welchman 
shows this: in their inexperience lay their strength. Therefore they were 
better than Dillwyn Knox, who was much more experienced, but also less 
daring. As a team, Turing and Knox were unbeatable, and even Turing and 
Welchman together achieved more than the mere sum of their working power. 

One thing will not happen to the successful unauthorized decryptor: he will 
not be discouraged by the alleged complexity of the task. The Poles were so 
successful because they automated any analysis that was too time consuming 
for hand work after they had found the idea. The expectations of OKW/ Chi 
for how long it would take to break the ENIGMA were cut by parallelization 
by a factor of six and by mechanization by a factor of at least twenty. The 
Welchman Bombe even makes trillions of cross-plugging possibilities irrel¬ 
evant, as Welchman remarked proudly, because the avalanche propagation 
of the voltage in a relatively simple feedback circuit is done “in less than a 
thousandth of a second.” 

Sometimes, an interchange helps, as in the case of Hugh Foss. “Foss had 
returned from sick leave in the late Summer [1940] and joined Turing, Twinn 
and Kendrick. Everyone else having worked on May 8th [signals] till they 
were heartily sick of it, it was handed over to Foss who, not having seen it 
before, did not view it with the same aversion. After months of work he 
finally succeeded [November 1940] in finding ...the menu for the bombe ... . 
This success was undoubtedly due to Foss’ pertinacity; he did not know 
the mathematical theory to the extent that Turing did but he had endless 
perseverance and Banburism was a problem on which this quality always paid 
a good dividend” (Hugh Alexander). B.P. memorizes May 8th as ‘Foss’ Day’. 

22.2.3 Strategies. In principle there are infinitely many ways of crypt- 
analytic attacks. In the following, only a rough survey of the strategies of 
cryptanalysis is given. 

22.2.3.1 The purest form of unauthorized decryption makes no assumption 
whatsoever. This pure cryptanalysis does not use and does not need the lin¬ 
guist, for it is mathematical in nature. In some cases of a plaintext-plaintext 
compromise, e.g., determination of the period of a polyalphabetic encryption 
(Chap. 18) or in-phase adjustment and superimposition of several polyalpha¬ 
betic encryptions with different initial key settings, as well as in the case of 
a cryptotext-cryptotext compromise (Chap. 19), pure cryptanalysis performs 
a reduction to an intermediate language which is a monoalphabetic, possibly 
polygraphic encryption of the plaintext language. Thus, as David Kahn said, 
it functions in principle even for a language that the unauthorized decryptor 
does not know, e.g., the last intermediate text of a composition of two or more 
encryptions, say superencrypted code where the codebook is not known. 

Pure cryptanalysis is directly suited for execution by a machine and it can be 
written in the form of a computer program (Gillogly 1995). Pure cryptanaly¬ 
sis as a rule needs only somewhat longer texts than any of the attacks below. 
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22.2.3.2 Pure cryptanalysis is an extreme case of the cryptotext-only at¬ 
tack (‘known cryptotext attack’), which allows only reflections and assump¬ 
tions on the kind of language the plaintext is taken from. Typically, the 
distribution of the frequencies of the single characters in the cryptotext is 
investigated. If it is reasonably close to one of several natural languages that 
could come under consideration, all encryption methods can be excluded 
which level frequencies, in particular proper polygraphic ones (provided they 
do not feign frequencies, as discussed in Sect. 4.1.2) and proper polyalpha- 
betic encryptions; among the remaining monoalphabetic ones are functional 
simple substitutions, transpositions and their compositions. If even the indi¬ 
vidual letter frequencies are close to those of some natural language, proper 
simple substitutions can be excluded; among the remaining ones are trans¬ 
positions, as well as polygraphic encryptions feigning a transposition. 

Thus a frequency examination (Chap. 15) may break a monoalphabetic en¬ 
cryption; it may also be used to strip a simple substitution from a transpo¬ 
sition. 

However, if the distribution of the frequencies of the single characters in 
the cryptotext is leveled, then (provided the use of polyphones can be ex¬ 
cluded) suspicion about a polyalphabetic and/or polygraphic encryption is 
justified. Both possibilities are to be taken into consideration. In the first 
case, pure cryptanalysis may help to find a reduction to a monoalphabetic 
simple or proper polygraphic substitution, which may be treated with a fre¬ 
quency examination (Chap. 15) of single characters or of polygrams. These 
examinations are already linguistic in nature. 

22.2.3.3 Much more linguistic are the methods based on a partial or com¬ 
plete plaintext-cryptotext compromise. They use probable words or phrases 
as starting points for pattern finding (Chaps. 13, 14). There is the known 
plaintext attack and the chosen plaintext attack , which differ only in the way 
the compromise is achieved, passively or actively. The known plaintext attack 
needs sly, clever guesses of plaintext fragments. Sympathetic understanding 
of the adversary’s feelings, of his ways of thinking, of his idioms and phrase¬ 
ology is required, and this is helped by knowing not only the adversary’s 
language, but also his milieu. 

The British in Bletchley Park had champions in preparing the confronta¬ 
tions of plaintext fragments and cryptotext, the cribs (Sect. 19.7.1); only a 
few of them can be mentioned here. As well as the linguist Hilary Hinsley 
nee Brett-Smith and the linguistically versed mathematician Shaun Wylie, 
there were also people with a kind of abstract ability for pattern finding in 
Bletchley Park: the chess champion Hugh Alexander and the formally gifted 
Germanic philologist Mavis Batey nee Lever. Her abilities can be illustrated 
by the fact that she noticed one day the absence of the letter l in a long 
fragment of ENIGMA cryptotext. To notice this was already unheard of. 
But she also concluded that this was caused by a long filling with plaintext 
/!/. This successful assumption led to the determination of the setting, to a 
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lasting break, and finally to the victory of the British fleet over the Italian 
on March 28, 1941 near Cape Matapan on the Greek coast. 

Success in the known plaintext attack requires, moreover, that the unautho¬ 
rized clecryptor is in possession of all the results of intelligence, from combat 
reconnaissance, from interrogation of prisoners, from questioning of civilians, 
from eavesdropping, from spies, and particularly from decryptions achieved 
by other decryptors. This requirement is very much in conflict with security 
measures (‘need to know’ doctrine) and also politically unrealistic—otherwise 
it would have been best if in the Second World War Churchill himself had 
prepared the cribs. 

The chosen plaintext attack, on the contrary, needs cunning in producing 
a compromise. Cunning is inexhaustible. Events that have been reported 
vary from inducing a certain combat action, like artillery fire in the First 
World War and the ‘erloschen ist leuchttonne’’ trick in the Second World 
War (Sect. 11.1.3), to foisting a message on the adversary, like the Japanese 
cuckoo’s egg and Figl’s newspaper forage (Sect. 11.1.2). 

A third case, derived plaintext attack , comes from a cryptotext-cryptotext 
compromise if one of the systems is already broken and the plaintext can 
thus be obtained. This ‘continuation of a break’ was a frequent stratagem 
in Bletchley Park, where the emergency situations leading to a cryptotext- 
cryptotext compromise were deliberately induced (‘gardening’, Sect. 19.4.1). 

22.2.3.4 A particular sort of attack, the chosen ciphertext attack , may be 
used in the case of asymmetric methods with a public key for encryption, 
when the functioning of a tamper-proof ‘black box’ for decryption is wanted, 
i.e., the private key is to be revealed. 

22.2.4 Hidden dangers. A cryptotext-cryptotext compromise is par¬ 
ticularly insidious because it is so easily overlooked. It may be caused by 
the installation of many key nets if there is a lack of cipher discipline (see 
Sect. 19.4.1) or it may be a consequence of cryptological thoughtlessness (e.g., 
indicator-doubling with the ENIGMA until May 1940, Sect. 19.6.1). Specific 
methods of attack are also discussed in Sects. 19.4 and 19.5. Cryptotext- 
cryptotext compromises allow pure cryptanalysis which can be done with 
supercomputers. Since for public keys cryptotext-cryptotext compromise is 
inherent in the system, the danger hopefully prompts increased wariness. 

22.2.5 Deciphering in layers. For a composition of encryption meth¬ 
ods, one normally aims at stripping off one encryption after another. This 
is easier if a superencryption is made over an encryption method that has 
been used for some time and has been broken in the meantime: the interme¬ 
diate text is then considered to be in a a known language. It is particularly 
simple if the superencryption method is already broken, for then the compo¬ 
sition is no more resistant than the newly introduced method (S.D. superen¬ 
cryption, Sect. 19.6.3.1). Quite generally it can be stated that the German 
Armed Forces could not have educated their adversaries better regarding the 
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ENIGMA: they introduced refinements in small steps, each time late enough 
so that the Poles and the British had mastered the last step. And this hap¬ 
pened on other occasions too: When in April 1944 at Mykonos documents 
on a Reserve-Handschliissel- Verfahren fell into the wrong hands, the method 
was not changed totally, but only slightly and stepwise, educating the British. 

22.2.6 Violence. Cryptanalysis in the proper sense does not include pro¬ 
curement of the adversary’s encryption documents and devices (up to whole 
machines) by illegal purchase, spying out at customs offices, theft and burgla¬ 
ry, or combat missions and raids (Sect. 11.1.10). The experiences of the Se¬ 
cond World War have fully confirmed Kercklroffs’ admonition and Shannon’s 
maxim “The enemy knows the system being used.” The SIGABA (ECM 
Mark H) of the US Army was one of the few devices of the Second World War 
that did not fall into the hands of the enemy, and this perhaps only because 
after the D-Day landings the war in Europe was over in less than a year. 

Moreover, the destruction of the wire-bound communication channels of the 
adversary, which the Allies executed before and during the landings in Nor¬ 
mandy, assisted cryptanalysis: its effect was “to force a proportion of useful 
intelligence on to the air” (Ralph Bennett). 

22.2.7 Prevention. What can be done to prevent cryptanalysis, to protect 
communication channels? The most important defensive weapon seems to 
be imagination. It is necessary to enter completely into the cryptanalytic 
thinking of the hypothetical unauthorized decryptor, and to be able psycho¬ 
logically to do so. Inhibitions are as out of place as arrogance is. The defen¬ 
der, the designer of the method or of the machine and its operation, should 
not only have some imagination, he or she must have enough imagination to 
sense the imagination of the attacker. 

There are three cases of grave thoughtlessness from the rich story of the 
ENIGMA decryption (for 1. and 2., examples are to be found in Fig. 62): 

1. It was absolutely unnecessary to rigorously abstain from using the same 
rotor in the same position on two consecutive days, as the Luftwaffe did (‘non¬ 
crashing wheel order’). This mock randomness saved the British a lot of work 
in finding the wheel order, once a continuous flow of encryptions was estab¬ 
lished. The German Navy dictated that the rotor order always contained a 
rotor VI, VII, or VDI (which reduced the number of rotor orders used to 276), 
moreover that on the second day of a pair of odd-even-numbered days the ro¬ 
tor order and ring setting were the same as for the first day (this meant that 
on the second day cribs had only to be run on one rotor order). Over the years 
it turned out that the German keymakers were allowed to have preferences 
and were ignorant of the concept of randomness: so they used in each month 
seven of the eight rotors exactly twice and one once in the leftmost rotor posi¬ 
tion, or from not using the same rotor order twice in the same month. On oc¬ 
casion, hair-rising flaws occurred, so when in April 1944 in the key net TUR¬ 
TLE (U-boats in the Mediterranean Sea) the March keys were repeated, or 
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when in April 1944 in the key net SEAHORSE (‘ Bertok Berlin-Tokyo traf¬ 
fic) the rotor order and ring setting were constant for each of three decades. 

2. It was bad to avoid the use of two consecutive letters, like /a/ and /b/, 
for steckering, since this reduced the number of plugboard connections to be 
tested in the bombes and even allowed the British to build a special catch 
circuit which they wittily called CSKO, ‘consecutive stecker knock-out’. With 
the German Navy, a letter was never steckered for two days in succession. 
This was a most encouraging discovery for B.P., since it meant as long as the 
Navy still used 6 steckers then, having broken the steckering for one day, 12 
unsteckered letters for the next day were known. 

3. It was stupid to make the entrance substitution (performed by the plug¬ 
board) self-reciprocal, thus allowing the diagonal board. Neither the British 
TYPEX nor the Japanese PURPLE had this ‘simplification’. In fact, the Ger¬ 
mans occasionally used the Uhr box 3 (Plate M), an artificial and awkward at¬ 
tachment that made the plugboard substitution (but not the full ENIGMA 
encryption) non-involutory, putting the diagonal board ‘out of business’ 
(Welchman). The Uhr box was to be changed frequently—a telling sign 
that the German authorities in 1944 had serious doubts about the security 
of the ENIGMA, but could not help it anymore. 

The faults around the ENIGMA were called by Welchman “a comedy of 
errors.” He wrote: “The German errors ... stemmed from not exploring the 
theory of the Enigma cipher machine in sufficient depth, from weakness in 
machine operating procedures, message-handling procedures, and radio net 
procedures; and above all from failure to monitor all procedures.” Then he 
went on to mention the indicator doubling, the ‘cillies’ and Herivel tips, 
‘Parkerism’ (a habit of the German producer of operating instructions that 
flourished in 1942 of repeating entire monthly sequences of discriminants, 
ring settings, wheel orders, or steckers; e.g., SCORPION settings were copies 
of PRIMROSE settings for the previous month); and not least ‘inadvertent 
assistance’ of German staff members in providing cribs. All these faults may 
be blamed solely on people: he wrote “the [ENIGMA] machine as it was 
would have been impregnable if it had been used properly.” 4 

22.3 Illusory Security 

Welchman could have added ironically that just this can never be expected— 
in line with Rohrbach’s maxim (Sect. 11.2.5) that no machine and no crypto¬ 
system will ever be used properly all the time. The wartime cryptanalyst and 

3 The Uhr box, introduced in 1944, amounts to using 10 stecker pairs and lias 40 positions, 
10 of which (0, 4, 8, ..., 36) preserve involution. The scrambler inside performs a 
permutation with the cycle representation (1 31 5 39 9 23 17 27 33 19 21 3 29 35 13 11) 
(0 6 16 26) (2 4 18 24) (12 38 32 22) (14 36 34 20) (7 25) (8 30) (10 28) (15 37). 

4 Nevertheless, German cipher security improved throughout 1944 and the first half of 1945 
(Ralph Erskine, Philip Marks)—when it was too late. But the worst mistake, repeated 
from 1933 until 1945, was introducing cryptographic improvements in a piecemeal fash¬ 
ion, as Marian Rejewski has characterized it by enumerating more than a dozen steps. 



22.3 Illusory Security 483 


peacetime mathematician Hans Rohrbach knew it. Adolf Paschke, Vortragen- 
der Legationsrat of AA and nominal head of the linguistic group in Pers Z, 
knew it as well. He strongly advocated against using the ENIGMA in the 
diplomatic channels even for topics of lesser importance, like visa regula¬ 
tions. Cipher machines were frowned upon. The Geheimschreiber T 52a was 
considered unsafe; in fact it was discovered in the AA how it could be crypt- 
analyzed without much labor. This explains the parallel success Beurling 
had. And T 52e messages transmitted by Military Attaches on German AA 
channels were decrypted by Pers Z people themselves. Only for non-secret 
traffic within Germany on wire lines was T 52c considered acceptable. One 
exception was made in 1944 on the wireless line between Madrid and Berlin, 
where an SZ 42 Schliisselzusatz was used for messages up to Geheim, but not 
for the top classification Geheime Reichssache. This reflects the caution Pers 
Z took. And Erich Fellgiebel, Chief of OKW Signal Communications, is said 
to have it expressed by exaggerating: l Funken ist Landesverraf (Sect. 11.1). 

Otherwise and elsewhere, the spirit of illusory security blossomed. Whereso¬ 
ever there was a chance for a quicker and less secure cryptographic method, it 
had good prospects. Wishful thinking prevailed. Typically, a warning coming 
on August 10, 1943, apparently from a source around the Swiss Colonel Mas¬ 
son, that Britain was reading the ENIGMA traffic (Fig. 187), was ignored. 

Am lo.8« glug folgende Melding liter 10 Seiwela tint 

"3*lt einigen Monaten- Entzifferuag detrtnchen Marine- 
codes hlnsichtlich 2efehlen an operierende Utoo+e. gegltlckt. 

Alle Befehlo werden aitgeleaen. 

Zusatzi Quelle Anerlie-Schweizer in holier 'ekretarete Hung 
in USA-aterino-Hinlsterina.* 

Fig. 187. From the Kriegstagebuch (KTB) of the Befehlshaber der U-Boote, 13. 8.1943. 

Report, apparently from a Swiss source (KO = Kriegsorganisation, i.e., Abwehr), 
‘Deciphering German Navy code. All orders are read’. (Courtesy Ralph Erskine) 

Apart from the rare cases when individual keys were used at all, let alone 
made properly and run with care, very few cryptological systems remained 
unbroken between 1900 and 1950. In the ENIGMA case, the Navy key nets 
l Neptun\ l Thetis\ ‘ Aegir ’ and ‘ Sleipnir ’ were impregnable, but some of them 
had very little traffic or carried messages considered not to be important 
enough by the Allies. 

Sometimes there is for quite a while a balance between the cryptanalyti- 
cal successes of two powers. For example, “in the war at sea during 1939- 
1942, Germany gained as much from cryptanalysis as Britain did” (John 
Ferris). After all, there was “the German seizure of British codebooks from 
the steamer Automedon on November 11, 1940” (John Ferris). However, af¬ 
ter mid-1943 the situation changed thanks to intensified British precautions. 

Supervision of one’s own side’s traffic was occasionally done; for example, 
when Rowlett found a weakness as Friedman’s Converter M-228 SIGCUM 
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went into operation in January 1943 (see Sect. 8.8.6). It would have paid back 
if, for example, an OKW Special Group had supervised the ENIGMA traffic 
of Goring’s undisciplined Luftwaffe key net RED; they would have found the 
leakages the British profited from early enough to stop further disastes. 

But even supervision does not help, if it is done insufficiently. Paschke knew, 
of course, that the AA one-time pads were fabricated mechanically by an 
array of 48 five-digit counters; after every printing step, most of them were 
moved forward at an irregular interval (‘complementary propulsion’). As a 
special precaution, consecutively printed sheets were never assembled into 
the same block. This seemed to be completely sufficient, but it was not, as 
the GEE-GEC story (see Sect. 19.5.1) shows. 

22.4 Importance of Cryptology 

The reader who has read this book chapter by chapter may at first have found 
it difficult to suppress a smile from time to time. The history of cryptology 
is full of exciting, funny, personal stories. That makes it attractive even for 
the layman. 

Little by little, however, somber shadows are cast over the scene. The battle 
of Tannenberg gives a first example. The entry of the USA into the First 
World War was triggered by a telegram on January 16,1917 from the German 
Foreign Minister Arthur Zimmermann to the ambassador in Mexico, Heinrich 
von Eckardt, that was decrypted in London’s Naval Intelligence Department 
25 (NID 25, commonly called Room 40) of the Admiralty by Nigel de Grey 
(1886-1951), assisted by Alfred Dillwyn Knox (1884-1943). Its content—a 
proposal to stir up Mexico against its northern neighbor—was brought to the 
notice of President Wilson, who concluded that “right is more precious than 
peace.” And the events of the Second World War were played out in front of 
a hideous backdrop. The decades of the Cold War displayed a cruelty which 
the romantics of spy novels cannot wipe away. 

Talking to a former cryptanalyst in his official capacity always needs tact and 
discretion. Sometimes one confronts the arrogance of the professional who 
shows that he knows something but does not say what he knows. However, to 
be prudent is good advice for the professional, as the example of Welchman 
shows; he faced persecution after publication of his book The Hut Six Story. 

22.4.1 Scruples. Cryptanalysis was felt by many of the people involved 
as a heavy burden, not so much because of the nervous stress, but because 
of conflicts of conscience. To give a serious example: A codebreaker may 
have for years successfully worked against a potential enemy, and the foe 
may suddenly become an ally. Such a situation happened following the June 
22,1941 German aggression of the Soviet Union, when Churchill gave orders 
for an abrupt halt of British activities against the USSR. Actually, ‘it was not 
until December that the Russion section [of GC&CS] was closed down. Even 
then, the Poles [within GC&CS] were told to continue intercepting traffic and 
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trying to break it’ (Michael Smith). M.I.5 continued to keep a watch on the 
Russians. ‘The preparations for the second Cold War had already begun’. 
Cryptology shares this hardship not only with other branches of mathematics 
and computer science which are in danger of misuse but to a large extent with 
other sciences like physics, chemistry, and biology—it may suffice to mention 
the keywords nuclear energy, poison gas, and genetic manipulation. The 
price our century has paid for the enormous progress of science—which no¬ 
body wishes to forfeit—must also be paid by the scientists themselves. They 
must measure up to high requirements of humanity. The decline of some 
communist systems of injustice and the increasing bewilderment of people 
faced with unlimited possibilities raises the hope that scientists will show in¬ 
sight and discretion. Thus, cryptology no more deserves condemnation than 
do the natural sciences. With a positive accent the back-cover text of the 
book by Meyer and Matyas says: “Cryptography is the only known practical 
means for protecting information transmitted through large communication 
networks such as telephone lines, microwave, or satellite.” Elsewhere we read: 
“Cryptology has metamorphosized from an arcane art to a respectable sub¬ 
discipline of Computer Science.” A common saying puts it this way: “Today, 
code-making and code-breaking are games anybody can play.” 

In fact, original scientific papers on cryptological themes are found today not 
only in the few specialist journals and symposia, but here and there also in 
computer science, particularly in theoretical computer science. Contact and 
mutual fertilization occur mainly with the emerging theory of complexity and 
the theory of formal languages; moreover, from mathematics, number theory 
and combinatorics are confederates. 

22.4.2 New ideas: Covert proof, ‘zero-knowledge’ proof. Crypto¬ 
logy itself has developed new ways of thinking in connection with the in¬ 
formation theory of Shannon and Renyi, and in connection with public-key 
cryptosystems has pushed new concepts such as asymmetric cryptosystems 
and authentication to the fore. Authentication even widens the aspect of 
secrecy to more general perspectives of communication. The central concept 
is the protocol , an agreed-upon method and procedure of communication; 
a cryptographic protocol between two partners includes not only measures 
based on mistrust against a third party, but also on mutual partial mistrust. 
The problem may be how two partners can share certain secrets without 
thus sacrificing other secrets. Another problem may be how two partners 
can build up confidence step by step without the risk of revealing some se¬ 
crets. Applications in daily private, public, political, and economic life are 
obvious; they concern the behavior of spouses, powers, parties, and firms. 
Everyday examples are the certification procedure of the holder of a check 
card, confirmimg that he or she is its legitimate possessor and thus its legal 
owner, or a licensing negotiation, where the inventor has to convince the pre¬ 
sumptive licensee about the usefulness and efficiency of his method, without 
compromising this before the contract is signed. This is the idea of a covert 
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proof, ‘zero-knowledge’ proof: the partner will not be told anything that he 
could not find out himself. 

The problem is quite old: In the times of Tartaglia and Cardano, mathemati¬ 
cians tried to keep their methods secret. They were willing to apply a method, 
say for the solution of algebraic equations by radicals, secretly to examples 
they were given by an opponent, and then, after a short while, to present a so¬ 
lution of the specific example like a rabbit from a hat, which everybody could 
easily check for correctness. Step by step, the spectators’ confidence in the 
efficiency and correctness of the hidden method increased, until it was estab¬ 
lished without reasonable doubt, and still the method had not been given 
away. As we know, poor Niccolo Tartaglia was not successful at this game, 
and Cardano managed to trick him out of his method for cubic equations. 
He deserves our sympathy; today he would have found a better defense. 

22.4.3 Deciphering the secrets of nature. Cryptanalysis in the widest 
sense even surpasses the frame of communication engineering. The scientific 
exploration of nature is frequently a cryptanalysis of her secrets. 

To give only one example: X-ray crystallography of proteins is a cryptanalytic 
task. To be determined is the phase function that belongs to a given ampli¬ 
tude function (in a three-dimensional space) measured in an X-ray refraction 
image. Assumptions on the structure of the molecules—e.g., the double helix 
structure of DNA as successfully guessed by Watson and Crick -play the role 
of probable words. This aspect was already discussed by Alan Turing and 
David Sayre in the 1950s. 

A very serious aim has the cognitive task of detecting patterns of any hitherto 
unknown sort in a mass of data, which corresponds to advanced methods of 
cryptanalysis, like Friedman examination and Kullback examination. 

Finally, there is the main occupation of the thinking man: recognizing situa¬ 
tions, forming concepts, elaborating abstractions. This, too, is in the widest 
sense a cryptanalytical task: It means finding something secret, something 
already existing in secrecy. Reading between the lines is the task, and intel¬ 
ligence is needed. Pure cryptanalysis tries to do this without further knowl¬ 
edge, without the help of intuition, but its results are limited, as is the reach 
of Artificial Intelligence. Where it works, it has the advantage of running 
automatically. The wide orchestra of cryptanalysis, however, uses intuition 
too, uses slyness and cunning. 

To show this interplay has been the main aim of this book. Cryptanalysis as 
a prototype for the methods in science: this has been my guiding principle 
in writing this book. Charles Babbage said ( Passages from the Life of a 
Philosopher): “Deciphering is, in my opinion, one of the most fascinating of 
arts, and I fear I have wasted upon it more time than it deserves .” I have 
spared no pains, and I hope I have not wasted my time. 
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The logic of secrecy was the mirror-image 
of the logic of information 

Colin Burke 1994 

Perfect security was promised at all times by the inventors of cryptosystems, 
particularly of crypto machines (Bazeries: je suis indechiffrable). In 1945, 
Claude E. Shannon (1916-2001) gave in the framework of his information 
theory a clean definition of what could be meant by perfect security. We show 
in the following that it is possible to introduce the cryptologically relevant 
part of information theory axiomatically. 

Shannon was in contact with cryptanalysis, since he worked 1936 1938 in 
the team of Vannevar Bush, who developed the COMPARATOR for determi¬ 
nation of character coincidences. His studies in the Bell Laboratories, going 
back to the year 1940, led to a confidential report (A Mathematical Theory 
of Cryptography) dated Sept. 1, 1945, containing apart from the definition 
of Shannon entropy (Sect. 16.5) the basic relations to be discussed in this ap¬ 
pendix. The report was published four years later: Communication Theory 
of Secrecy Systems, Bell System Technical Journal 28, 656-715 (1949). 

A.l Axioms of an Axiomatic Information Theory 

It is expedient to begin with events, i.e., sets X,y,Z of ‘elementary events’, 
and with the uncertainty 1 (Shannon: ‘equivocation’) on events—the uncer¬ 
tainties expressed by non-negative real numbers. More precisely, 

Hy{X) denotes the uncertainty on X, provided y is known. 

H{X) = H(/)(X) denotes the uncertainty on X, provided nothing is known. 
A. 1.1 Intuitively patent axioms for the real-valued binary set function H: 

(0) 0 < Hy(X) (“Uncertainty is nonnegative.”) 

For 0 = Hy(X) we say “J 7 uniquely determines X .” 

(1) Hy u z(X) < Hz{X) (“Uncertainty decreases, if more is known.”) 
For Hy u z(X) = Hz{X) we say “J 7 says nothing about A.” 

The critical axiom on additivity is 

(2) Hz(xuy) = Hy uz (X) + Hz(y) . 

This says that uncertainty can be built up additively over events. Since in 
particular H(X U (y) = H{X) + H(y), H is called an ‘entropy’ in analogy 
to the additive entropy of thermodynamical systems. 


1 The term ‘uncertainty’ was used as early as 1938 by Solomon Kullback. 
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The classical stochastic model for this axiomatic information theory 
is based on px (a) = Pr [X = a], the probability that the random 
variable X assumes the value a, and defines (Nyquist, 1944) 

H*({X}) = - £ p x (s)-]dp x (a) 

s : px(s) >0 

H®({X} U {!'}) = - ^2 Px,y(s, t) ■ Id px,y(s, t) 

s,t:pxy(?,t) >0 

H [y} ({X}) = - Y, Px,y(s, t) - Id Px\y(s,t) 

s,t: px\v{s/t) >0 

where px,Y(a,b) =def Pr[(X = a) A (Y = 6)] and p x \Y(o,/b) obeys 
Bayes’ rule for conditional probabilities: 

Px,y(s, t ) = py{t) ■ Px\y(s, t) , thus 

-Id Px,y{s, t) = -Id p Y {t) - Id Px\v{s,t) ■ 

A.1.2 From the axioms (0), (1), and (2), all the other properties usually 
derived for the classical model can be obtained. 

For y = 0, (2) yields 

(2a) Hz{fb) = 0 (“There is no uncertainty on the empty event set”) 

(1) and (2) imply 

(3a) Hz{X UX) < Hz{X) + Hz{y ) (“Uncertainty is subadditive”) 

(0) and (2) imply 

(3b) H z (y) < Hz(X U y) (“Uncertainty increases with larger event set”) 
From (2) and the commutativity of . U . follows 

(4) H Z {X) - H yuz (X) = H z (y) - H xuz (y) 

(4) suggests the following definition: 

The mutual information of X and y under knowledge of Z is defined as 
I Z {X,y) = def Hz(X) - Hy UZ (X) . 

Thus, the mutual information Iz{X,y) is a symmetric (and because of (1) 
nonnegative) function of the events X and y. From (2), 

iz(x,y) = Hz(x) + Hz(y)-H z (xuy). 

Because of (4), u y says nothing about X ” and “A says nothing about 
y ” are equivalent and are expressed by Iz(X, y) = 0. Another way of 
saying this is that under knowledge of Z , the events X and y are mutually 
independent. 

In the classical stochastic model, this situation is given if and only if 
X, Y are independent random variables: px,Y(s,t)=px(s)-Y (t) • 

Iz{X,y) = 0 is equivalent with the additivity of H under knowledge of Z : 

(5) I z (X,y) = 0 if and only if H z (X) + H z (X = H Z {X U X • 
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A.2 Axiomatic Information Theory of Cryptosystems 

For a cryptosystem X , events in the sense of abstract information theory are 
sets of finite texts over Z m as an alphabet. Let P be a plaintext (-event), C 
a cryptotext (-event), K a keytext(-event). 2 The uncertainties 
H(I<), H C (K), H P (K), H(C ), H P (C), H K (C ), H(P), H K (P), H C (P) 
are now called equivocations. 

A.2.1 First of all, from (1) one obtains 

H(K) > H P (K) , H(C) > H P (C) , 

H{C) > H k (C ) , H{P) > H k {P) , 

H{P) > H C (P) , H{K) > H C {K) . 


A.2.1.1 If X is functional, then C is uniquely determined by P and K , 
thus 

(CRYPT) H P K (C) = 0 , i.e., 

Ik(P,C) = H k (C) , I P (K,C) = H P {C) 

(“plaintext and keytext together allow no uncertainty on the cryptotext.”) 

A.2.1.2 If X is injective, then P is uniquely determined by C and K , thus 

(DECRYPT) H c ,k{P ) = 0 > i-e., 

Ic(K,P) = H C (P ) , I K (C,P) = H k (P) 

(“cryptotext and keytext together allow no uncertainty on the plaintext.”) 
A.2.1.3 If X is Shannon, then K is uniquely determined by C and P , thus 

(SHANN) H c ,p ( k ) = 0 , i-e-, 

Ip(C.K) = H P (K) , I C (P,K) = H C (K) 
(“cryptotext and plaintext together allow no uncertainty on the keytext.”) 

A.2.2 From (4) follows immediately 

H k (C) + H KtC (P) = H k {P) , H P {C) + H PiC (K) = H P (K) , 

H C {P) + H c ,p(K) = H C (K) , H k {P) + H K<P (C) = H K {C) , 

Hp(K) + H pk (C) = H P (C) , H C (K) + H aK (P) = H C (P) . 

With (1) this gives 

Theorem 1: 

(CRYPT) implies H K {C) < H K {P) , H P (C) < H P {K) , 

(DECRYPT) implies H C (P) < H C (K) , H K {P) < H K (C) , 

(SHANN) implies H P (K) < H P (C) , H C (K) < H C (P) ■ 

A.2.3 In a cryptosystem, X is normally injective, i.e., (DECRYPT) holds. 
In Figure 188, the resulting numerical relations are shown graphically. In the 


2 Following a widespread notational misusage, in the sequel we replace {X} by X and 
{X} U {Y} by X. Y ; we also omit 0 as subscript. 
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H(K) H(C) 



Fig. 188. Numerical equivocation relations for injective cryptosystems 


classical professional cryposystems, there are usually no homophones and the 
Shannon condition (2.6.4) holds. Monoalphabetic simple substitution and 
transposition are trivial, and VIGENERE, BEAUFORT, and in particular 
VERNAM are serious examples of such classical cryptosystems. 

The conjunction of any two of the three conditions (CRYPT), (DECRYPT), 
(SHANN) has far-reaching consequences in view of the antisymmetry of the 
numerical relations: 

Theorem 2: 

(CRYPT) A (DECRYPT) implies H K (C) = H K (P) 

(“Uncertainty on the cryptotext under knowledge of the keytext equals 
uncertainty on the plaintext under knowledge of the keytext,”) 

(DECRYPT) A (SHANN) implies H C {P) = H C {I<) 

(“Uncertainty on the plaintext under knowledge of the cryptotext equals 
uncertainty on the keytext under knowledge of the cryptotext,”) 

(CRYPT) A (SHANN) implies H P {K) = H P {C) . 

(“Uncertainty on the keytext under knowledge of the plaintext equals 
uncertainty on the cryptotext under knowledge of the plaintext.”) 

In Figure 189, the resulting numerical relations for classical cryptosystems 
with (CRYPT), (DECRYPT), and (SHANN) are shown graphically. 


H{K) H{C) 



H C {K) = H C {P) H k (P ) = H k {C) 


Fig. 189. Numerical equivocation relations for classical cryptosystems 
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A.3 Perfect and Independent Key Cryptosystems 

A.3.1 A cryptosystem is called a perfect cryptosystem, if plaintext and 
cryptotext are mutually independent: 

I(P,C) = 0. 

This is equivalent to H{P) = Hc{P) and to H{C) = Hp(C) 

(“Without knowing the keytext: knowledge of the cryptotext does not 
change the uncertainty on the plaintext, and knowledge of the plaintext 
does not change the uncertainty on the cryptotext”) 

and is, according to (5), equivalent to H(P, C) = H(P) + H(C ) . 

A.3.2 A cryptosystem is called an independent key cryptosystem, if plain¬ 
text and keytext are mutually independent: 

I{P,K)= 0. 

This is equivalent to H{P) = Hk(P) and to H{K) = Hp(K) 

(“Without knowing the cryptotext: knowledge of the keytext does not 
change the uncertainty on the plaintext, and knowledge of the plaintext 
does not change the uncertainty on the keytext”) 

and, according to (5), is equivalent to H(K, P) = H(K) + H{P) . 


H{K) H{C) 



Fig. 190. Numerical equivocation relations for classical cryptosystems, 
with additional properties perfect and/or independent key 

A. 3.3 Shannon also proved a pessimistic inequality. 

Theorem 3 A : In a perfect classical cryptosystem (Fig. 190), 

H(P) < H(K) and H(C) < H(K) . 

Proof: H{P) < Hc{P) ( perfect ) 

H C (P) < H C {K) (DECRYPT), Theorem 1 

H C (K) < H(K) (1) . 

Analogously with (CRYPT) for H{C) . ex 

Thus, in a perfect classical cryptosystem, the uncertainty about the key is 
not smaller than the uncertainty about the plaintext, and not smaller than 
the uncertainty about the cryptotext. 
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From (SHANN) A (DECRYPT) with Theorem 1 we find H C {P) = H C (K ); 
after adding H{C) on both sides, according to (2) we get H(P, C ) = H{K, C). 
In a perfect cryptosystem, H(P, C) = H(P ) + H(C). 

Further, according to (2), H(K,C) = H(K) + H K {C ) . Thus 

H K {C) = H{P) - (. H(K) - H(C)) = H{C) - (H{K) - H(P)) . 

In Figure 191, this result is displayed graphically. 

H(K) 

H P (K) = H P (C) —— H(C) 

Hc(K ) = H C (P) = H(P) VI 

H k (P) = H k (C) 

Fig. 191. Numerical equivocation relations for perfect classical cryptosystems 

A.3.4 By a cyclic shift of K, C, P: 

Theorem 3 C : In a classical cryptosystem with independent key, 

H(K ) < H(C ) and H(P ) < H(C) as well as 

Hc(P) = H{I<) - (H(C) - H(P)) = H(P) - ( H{C) - H(K)) . 

A.4 Shannon’s Main Theorem 

A.4.1 For a classical cryptosystem which is both perfect and independent 
key, Theorems 3 K and 3 C imply immediately that H{I\) = H{C). 

A.4.2 A cryptosystem with coinciding H(K) and H(C) shall be called 
a cryptosystem of Vernam type. Examples are given by encryptions with 
VIGENERE, BEAUFORT, and particularly VERNAM encryption steps, but 
also by linear polygraphic block encryptions. 

In the stochastic model this condition is particularly fulfilled, if both C and 
K are texts of k characters with maximal H(K) and maximal H(C ) : 
H(K) = H(C) = k ■ Id N . 

Main Theorem (Claude E. Shannon 1949): 

In a classical cryptosystem, any two of the three properties 
perfect , 

independent key , 
of Vernam type 
imply the third one. 

The proof is obvious from Figure 190. 
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A.4.3 A sufficient condition for a classical cryptosystem to be perfect is that 
it is independent key and of Vernam type; these conditions can be guaranteed 
from outside. Then H(P) < H(C) = H(K). 

In the stochastic model, perfect security requires with H(P) < H(K) that 
the key possesses at least as many characters as the plaintext, which means 
that every description of the key is at least as long as the key itself (Chaitin’s 
requirement, Sect. 8.8.4). 

Thus, perfect security requires safe distribution of an independent key which 
provides for every plaintext character a key character—an extreme require¬ 
ment, which frequently cannot be fulfilled in practice. Non-perfect practical 
security is guaranteed only by the time required for breaking the encryption. 

A.4.4 Shannon discussed a further property of a cryptosystem. We call a 
cryptosystem ideal (Shannon: strongly ideal), if cryptotext and keytext are 
mutually independent: 

I(K, C) = 0 . 

This is equivalent to H{K) = Hc{K ) and to H{C) = Hk{C) . 

According to Shannon, ideal cryptosystems have practical disadvantages: for 
a perfect cryptosystem, H{I\) = H{P) must hold. Perfect ideal cryptosys¬ 
tems are necessarily adapted to the plaintext language, which usually is a 
natural language. In this case, rather complicated encryption algorithms are 
necessary. Also, transmission errors inevitably cause an avalanche effect. In 
fact, we have here a practically unattainable ideal. 

A.5 Unicity Distance 

The condition Hq{P) > 0 expresses that for known cryptotext there remains 
some uncertainty on the plaintext. For a classical cryptosystem with in¬ 
dependent key (not necessarily perfect) this means, by Theorem 3 C , 

H(K) > H(C) - H{P) . 

We now use the stochastic model, with plaintext words V* and cryptotext 
words W* over a character set V = W of N characters. We restrict our 
attention to words of length k . 

Following Heilman (1975), we assume that Np and Nc are numbers such 
that among the N k words of length k the number of meaningful, i.e., possibly 
occurring, ones is just ( Np) k and the number of occurring cryptotexts is 
just ( Nc) k ■ Then Np < N and Nq < N . If all these texts occur with 
equal probability, then in the stochastic model 

H(P) = k ■ IdN P , H(C) = k-ldNc . 

Furthermore, we assume that Z is the cardinality of the class of methods, 
i.e., the number of key words. Assume that all these key words occur with 
equal probability. Then 
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H(K) =ldZ . 

The inequality above, meaning the existence of an uncertainty, turns into 
ldZ > k - (ldN c -ldNp) 
or, provided Id Nc > Id Np , 

1 


k < £/, where U = 


■ldZ . 


Id N c — Id Np 

Thus, if k > U, there is no uncertainty. U is a unicity distance (Sect. 12.6). 


If Nc is maximal, Nc = N , i.e., if all possible cryptotexts occur with equal 
probability, and if Np < N , i.e., plaintexts are in a natural language, then 
the condition Id Nc > Id Np is certainly fulfilled, and the unicity distance is 


U = 


1 

Id N — Id N P 


AdZ ; 


it is determined solely by the Shannon entropy Id Np of the plaintext words. 
This depends in turn on the cryptanalytic procedure. If the analysis is limited 
to single-letter frequencies, then the Shannon entropy Id Np ' is to be consid¬ 
ered, the values of which are not very different in English, French, or German, 
and amount in the Meyer-Matyas count to Id Np ' 1 « 4.17 [bit], where N = 26 
and IdIV = Id26 « 4.70 [bit]. Furthermore, with ldlVp 2 ' 1 rs 3.5 [bit] for bi- 
gram frequencies and Id Np, ' rs 3.2 [bit] for trigram frequencies, we find 


(1) 

Ur 

" 0.53 

for decryption with single-letter frequencies, 

(2) 

U R 

Id z 

for decryption with bigram frequencies, 

(3) 

U S 


for decryption with trigram frequencies. 


For plaintext words, the average length is about 4.5 and the corresponding 
Shannon entropy about ldIVp W) rs 2.6 [bit], thus 

(w) U rs Id Z for decryption with word frequencies. 

The Shannon entropy of the English language under consideration of all, even 
grammatical and semantic, side conditions is considerably smaller; a value of 
about Id Np rs 1.2 [bit] seems about right. This gives the unicity distance 

(*) U rs 3 ^ Id Z for decryption in freestyle, 

which is also given in Sect. 12.6 . 

For simple (monographic) substitution with Z = 26!, we have Id Z = 88.38 
(Sect. 12.1.1.1); this leads to the values 167, 74, 59, 42, and 25 for the 
unicity distance, which are confirmed by practical experience. The situation 
is rather similar for the German, French, Italian, Russian, and related Indo- 
European languages. 
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A.6 Code Compression 

Although Shannon was led to his information theory by his occupation with 
cryptological questions during the Second World War, information theory, 
in the form relevant and interesting for communication engineering, has no 
secrecy aspects. Its practical importance lies more in showing how to increase 
the transmission rate 3 by suitable coding, up to a limit which corresponds to 
a message without any redundancy—say a message P of k characters with 
the maximal uncertainty H (P) = k ■ Id N . 

The cryptological results above apply immediately to communication chan¬ 
nels. Theoretically, a transmission requiring Id 26 = 4.70 [bit/char] can be 
compressed by coding to one requiring only about 1.2 [bit/char]. A good ap¬ 
proximation of this rate needs tremendous circuitry. The simplest case of a 
Huffman coding works on single characters only and reduces the transmission 
rate only to about 4.17 [bit/char], while Huffman coding for bigrams and tri¬ 
grams, which needs a larger memory, does not bring a dramatic reduction. In 
future, however, economic and practical redundancy elimination by Huffman 
coding for tetragrams should be within reach using special chips. 

The situation is different for the transmission of pictures. The compression 
obtainable by relatively simple methods is remarkable and finds increasingly 
practical use. For these applications, the truism of post-Shannon cryptology, 
that code compression of the plaintext is a useful step in improving the 
practical security of a cryptosystem, is particularly appropriate. 

A.7 Impossibility of Complete Disorder 

When in the 1920s the use of independent (“individual”) keys was recom¬ 
mended, their fabrication did not seem to be a problem. That an individual 
key should be a random sequence of key characters was intuitively clear. Af¬ 
ter the work of Shannon and particularly of Chaitin in 1974, all attempts to 
produce a random sequence algorithmically had to be dropped. If keys were 
to be generated by algorithms, genuine random keytexts were not attainable. 
Thus, some order had to remain—the question was which one. 

Consequently, ‘pseudorandom sequences’ with a long period were increas¬ 
ingly suspected of having hidden regularities that would help cryptanalysis, 
although concrete examples are so far lacking in the open literature. The pro¬ 
fessionals responsible for the security of their own systems were faced with 
more and more headaches, while aspiring codebreakers could always hold out 
the hope of unexpected solutions. 

Strangely, at about this time a similar development took place in mathe¬ 
matics. In 1973, H. Burkill and L. Mirsky wrote: 


3 Note the Sampling Theorem: A message being limited to frequencies up to /o [sec 1 1 
can be represented by sampling it every y/- [sec] (Whittaker, 1915; Shannon, 1940). 
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” There are numerous theorems in mathematics which assert , crudely 
speaking, that every system of a certain class possesses a large sub¬ 
system with a higher degree of organization than the original system.” 

We give a number of examples: 

(1) Every graph of n nodes contains either a large subgraph of k nodes 
which is connected, or a large subgraph of k nodes which is unconnected. 
( k is the Ramsey number, e.g., k = 6 for n = 102, F. P. Ramsey 1930) 

(2) Every bounded infinite sequence of complex numbers contains a conver¬ 
gent infinite subsequence. (K. Weierstrass 1865) 

(3) If the natural numbers are partitioned into two classes, at least one of 
these classes contains an arithmetic series of arbitrarily large length. 

(Issai Schur about 1925, B.L. van der Waerden 1927) 

(4) Every partial order of n 2 + 1 elements contains either a chain of length 
n + 1 or a set of n + 1 incomparable elements. (R. P. Dilworth 1950) 

(5) Every sequence of n 2 + 1 natural numbers contains either a monotoni- 
cally increasing or a monotonically decreasing subsequence of length n + 1. 
(P. Erdos, G. Szekeres 1950) 

Between these and some other examples there seemed to be no connection, 
before Paul Erdos, in 1950 (‘ Complete chaos is impossible’) , tried a synopsis 
and found a general theorem which gave many single results by specializa¬ 
tion. Under the name Ramsey Theory (F.P. Ramsey, 1903-1030), this has 
led since 1970 to many subtle mathematical works on disorderly systems with 
orderly subsystems; for example, in 1975 ‘on sets of integers containing no 
k in arithmetic progression’ by E. Szemeredi. The fundamental impossibility 
of complete disorder should be interpreted as a warning to cryptologists, to 
be careful with the use of machine-produced keys—at the moment only a 
theoretical danger, but nevertheless a serious one. 

Marian Rejewski, Polish hero of decryption, expressed the warning in 1978 
in the following form: 

“ Whenever there is arbitrariness, there is also a certain regularity.” 
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Solution for the second Cryptoquip of Fig. 101: 

I=m . Entry with search for patterns results in 1211234 (for KRKKRLH) and 
53675 (for ULZIU) . Among the one or two dozen possible instantiations only 
very few are not too weird. Among those, /peppery/, followed by (for 5r675) 
/aroma/ are suitable and lead to further success: 


KRKKRLH PLRUI OZGK AYMMGORA U LYPQ,QRUAH ULZIU 


peppery re p 

peppery ream o p 

peppery ere am soup 

peppery cream soup i 

peppery cream soup cli 

peppery cream soup cl i f 


e r , e y r 

e a r , e a y aroma 

use a r c , ea y aroma 

use a rich ,hea y aroma 

used a rich, heady aroma 
fused a rich,heady aroma 



